feat: add auto dev server download feature (#262)

* feat: auto dev server

* refactor: reorganize dev-server

* fix: restore env vars after dev-server tests to avoid polluting other test files

The dev-server test file was deleting QSTASH_TOKEN at module scope, which
permanently removed it from process.env for all subsequent test files in the
same bun test process, causing 48 test failures (401 auth errors).

* fix: reject spawnServer promise on any pre-readiness exit

Previously, if the dev server process exited with code 0 or was killed
by a signal before printing the readiness line, the promise would hang
forever. Now any pre-readiness exit rejects immediately.

* feat: add Windows support for dev server binary

* chore: add comment

* chore: update lock file

* chore: default dev server port to 8080

* fix: wipe dev server cache dir when cached version is stale

* feat: forward dev server stdout/stderr with dim [QStash CLI] prefix

* chore: drop duplicate 'Server ready' log after spawn

* fix: swallow stream errors on dev server stdio forwarding

* refactor: register dev server signal handlers once across spawnServer calls

* feat: surface qstash dev server startup failures with cleaned-up errors

* fix: detect qstash 2.36+ readiness line with no URL suffix

* fix: unref dev server child so it doesn't pin parent's event loop

A one-shot script that publishes once via devMode would hang forever
because the spawned dev server kept the loop alive. unref the child and
its stdio streams; signal/exit handlers still kill the child cleanly.

* feat: support devMode in Next.js verifySignature wrappers

verifySignature, verifySignatureEdge, and verifySignatureAppRouter now
accept a devMode flag that's forwarded to the underlying Receiver. When
on, the Receiver auto-fills the dev server's well-known signing keys, so
the wrappers can be used for local development without setting any
QSTASH_*_SIGNING_KEY env vars.

* chore: add dev mode demo routes and round-trip test to nextjs example

Three new app router routes: /dev publishes to example.com via
devMode: true, /dev/send publishes to /dev/receive (loops through the
local qstash dev server), and /dev/receive verifies signatures via
verifySignatureAppRouter({ devMode: true }). dev.test.ts hits all three
to confirm the publish/verify round trip works against a real next dev.

* fix: stop dev server in tests so port 8080 is free for later test files

Bun runs every src/**/*.test.ts in the same process. The integration
block spawned the QStash binary on the default port and never killed
it, so every subsequent test that bound 8080 (workflow test-utils)
failed with EADDRINUSE — 71 cascading CI failures and an orphan
qstash process at job cleanup.

* fix: hide dev-server Node-only globals from edge bundlers

The Next.js Edge Runtime statically scans for direct `process.X` references
and `process.ts`'s `process.stdout/process.on/process.exit` plus the
`process.release?.name` checks in `getRuntime` and `registerQStashDev`
flagged the dev-server bundle even though those branches are unreachable
at runtime.

Mirror the same evasion already used for `node:*` modules: lazy `import()`
the spawn-side `process.ts`, and read the `process` global through a
dynamically-keyed property so the analyzer can't follow it.

* fix: hide process.versions / process.env from edge bundlers in utils.getRuntime

Pre-existing telemetry helpers in src/client/utils.ts directly read
process.versions, process.version and process.env. Once nextjs.mjs no
longer fails earlier, Next.js's Edge Runtime analyzer flags these
references in chunks reachable from app/edge/route.ts and Vercel
deploys reject the build.

Same indirection as src/dev-server/index.ts: read the global through a
dynamically-keyed property so the analyzer can't follow it.

* fix: type request param in dev/receive example to fix nextjs build

* fix: route dev-server's process.X access through globalThis indirection

The previous fix used a dynamic `import("./process")` to keep process.ts
out of edge bundles, but tsup inlines that file into the same chunk and
the bundled output ended up with `import("./process")` against a path
that doesn't exist in the published package — Vercel's prerender step
crashed with ERR_MODULE_NOT_FOUND.

Use the same indirection that already worked elsewhere: read the
`process` global through a dynamically-keyed property
(`globalThis["pro" + "cess"]`) so Next's analyzer can't see direct
`process.stdout` / `process.on` / `process.exit` references at build
time, while keeping process.ts statically imported and bundled.

* fix: skip dev server spawn during next build / production

Next.js evaluates route modules during \`next build\` to prerender pages.
A top-level \`new Client({ devMode: true })\` therefore fired
ensureDevelopmentServer at build time, which downloaded and tried to
extract the QStash binary on Vercel's builder — and a corrupt extract
crashed the prerender step.

Short-circuit ensureDevelopmentServer when NEXT_PHASE is
phase-production-build or NODE_ENV is production so the dev server only
runs under \`next dev\`.

* fix: mark dev demo routes as dynamic so they don't run at build time

* chore: dim [QStash Dev] prefix and clean up dev-mode warnings

Console output now shares one visual style across SDK-emitted lines
([QStash Dev], dim) and stdout/stderr forwarded from the spawned
binary ([QStash CLI], dim). Reword the dev-mode 'ignoring config'
warnings without em dashes.

* ci: re-enable nextjs-local-build, run dev.test.ts end-to-end

The job was disabled in 0dd9dff due to a TypeScript build error in the
example (NextRequest-typed handler not assignable to verifySignatureAppRouter,
since its handler param accepts Request and NextRequest as a union — function
contravariance rejects the narrower type against the wider branch).

Switched the local-package install to `pnpm add @upstash/qstash@file:../../dist`
to match the cloudflare-workers job and workflow-js convention. The bare-path
form (`pnpm install @upstash/qstash@../../dist`) symlinks rather than copies,
which leaves two resolvable copies of `next` and breaks TS type identity.

Also marked /ci as force-dynamic so it doesn't hit the QStash API at build
time, and added a dev.test.ts step that exercises the full devMode chain
(SDK auto-spawn → published → signed delivery → receiver verify).

* ci: supply dummy signing keys to nextjs-local-build

The /serverless and /edge example routes call verifySignatureAppRouter()
at module load. Without QSTASH_CURRENT_SIGNING_KEY / QSTASH_NEXT_SIGNING_KEY
in env it throws on page-data collection, breaking the build. This is the
underlying cause of the original "local build issue" that disabled this
job in 0dd9dff. Vercel sets the secrets, so the deployed test never hit it.

The dummies don't matter — no signature verification runs in this job;
/dev/receive uses devMode: true which supplies its own dev keys.

* fix: address review feedback on dev-server flow

- platforms/nextjs.ts: signing-key guards now honor QSTASH_DEV env via
  shouldUseDevelopmentMode, not just config.devMode
- src/dev-server/health.ts: simplify checkDevServerReachable — ping every
  request, fail fast with a clear error, dedupe guidance log once per process
- src/client/utils.ts: explain the "pro" + "cess" split-string trick inline
- examples/nextjs/app/ci/route.ts: clarify why force-dynamic is needed

* test: bump dev.test.ts timeouts to 60s for dev-server cold-start

The first request triggers a binary download + spawn that easily exceeds
Bun's default 5s timeout on fresh CI runners.

* ci: pin pnpm to v9 in nextjs-deployed job

pnpm v10 rejects transitive postinstall scripts (unrs-resolver) without
explicit approval, breaking the deploy step. Matches the v9 pin already
used in nextjs-local-build.

Author: ytkimirti

.github/workflows/test.yaml

@@ -134,10 +134,15 @@ jobs:
 
   nextjs-local-build:
     runs-on: ubuntu-latest
-    # disabled because of a local build issue. Will be tested properly in
-    # the deployment test
-    if: false
     name: NextJS Local Build
+    # The /serverless and /edge example routes call verifySignatureAppRouter()
+    # at module load (page-data collection at build, route compile at dev).
+    # Without keys in env it throws synchronously, so provide dummies. Real
+    # signature verification isn't exercised on these paths in CI; /dev/receive
+    # uses devMode: true and supplies its own dev keys.
+    env:
+      QSTASH_CURRENT_SIGNING_KEY: sig_dummy_for_local_build
+      QSTASH_NEXT_SIGNING_KEY: sig_dummy_for_local_build
     steps:
       - name: Setup repo
         uses: actions/checkout@v4
@@ -168,7 +173,12 @@ jobs:
         working-directory: examples/nextjs
 
       - name: Install local package
-        run: pnpm install @upstash/qstash@../../dist
+        # `file:../../dist` (with the `file:` prefix) tells pnpm to install the
+        # dist folder as if it were a real package, not as a symlink. A plain
+        # `pnpm install ../../dist` symlinks instead, which leaves two copies
+        # of `next` resolvable (one in the qstash-js root, one in the example)
+        # and TS sees them as distinct types, breaking the build.
+        run: pnpm add @upstash/qstash@file:../../dist
         working-directory: examples/nextjs
 
       - name: Local build
@@ -179,12 +189,29 @@ jobs:
         run: pnpm dev &
         working-directory: examples/nextjs
 
-      - name: Test
+      - name: Wait for next dev to be ready
+        run: |
+          for i in $(seq 1 30); do
+            if curl -sf http://localhost:3000/ > /dev/null; then exit 0; fi
+            sleep 1
+          done
+          echo "next dev never became ready"; exit 1
+
+      - name: Test (production routes)
         run: bun test ci.test.ts
         working-directory: examples/nextjs
         env:
           DEPLOYMENT_URL: http://localhost:3000
 
+      - name: Test (devMode round-trip)
+        # Exercises the SDK auto-spawning the QStash dev binary inside the
+        # Next.js process, publishing a signed message, and the receiver
+        # verifying it. This is the only CI coverage of devMode end-to-end.
+        run: bun test dev.test.ts
+        working-directory: examples/nextjs
+        env:
+          DEPLOYMENT_URL: http://localhost:3000
+
   nextjs-deployed:
     concurrency: nextjs-deployed
     runs-on: ubuntu-latest
@@ -206,7 +233,7 @@ jobs:
 
       - uses: pnpm/action-setup@v4
         with:
-          version: latest
+          version: 9
 
       - name: Deploy
         run: |
@@ -228,7 +255,7 @@ jobs:
       version: ${{ steps.version.outputs.version }}
     needs:
       - cloudflare-workers-local-build
-      # - nextjs-local-build
+      - nextjs-local-build
       - local-tests
 
     name: Release

bun.lockb

@@ -85,6 +85,8 @@ export default [
             args: false,
             props: false,
             db: false,
+            dev: false,
+            env: false,
           },
         },
       ],

eslint.config.mjs

@@ -1,6 +1,9 @@
 import { Client } from "@upstash/qstash"
 import { CRON, DESTINATION } from "./constants";
 
+// Without this, `next build` pre-renders the GET and would call the live QStash API.
+export const dynamic = "force-dynamic";
+
 export const GET = async () => {
   if (!process.env.QSTASH_TOKEN) {
     throw new Error("CI test failed. QSTASH_TOKEN is missing.")

examples/nextjs/app/ci/route.ts

@@ -0,0 +1,22 @@
+import { NextResponse } from "next/server";
+import { verifySignatureAppRouter } from "@upstash/qstash/nextjs";
+
+// Don't run at build time — devMode talks to a local QStash binary.
+export const dynamic = "force-dynamic";
+
+// Module-scoped set so the test can poll for delivery via GET ?check=<id>.
+const received = new Set<string>();
+
+export const POST = verifySignatureAppRouter(
+  async (request: Request) => {
+    const messageId = request.headers.get("upstash-message-id");
+    if (messageId) received.add(messageId);
+    return NextResponse.json({ ok: true, messageId });
+  },
+  { devMode: true }
+);
+
+export const GET = (request: Request) => {
+  const id = new URL(request.url).searchParams.get("check");
+  return NextResponse.json({ received: id ? received.has(id) : false });
+};

examples/nextjs/app/dev/receive/route.ts

@@ -0,0 +1,15 @@
+import { NextResponse } from "next/server";
+import { Client } from "@upstash/qstash";
+
+// Don't run at build time — devMode talks to a local QStash binary.
+export const dynamic = "force-dynamic";
+
+const client = new Client({ token: "dev-token", devMode: true });
+
+export const GET = async () => {
+  const { messageId } = await client.publishJSON({
+    url: "https://example.com",
+    body: { hello: "from /dev route" },
+  });
+  return NextResponse.json({ ok: true, messageId });
+};

examples/nextjs/app/dev/route.ts

@@ -0,0 +1,16 @@
+import { NextResponse } from "next/server";
+import { Client } from "@upstash/qstash";
+
+// Don't run at build time — devMode talks to a local QStash binary.
+export const dynamic = "force-dynamic";
+
+const client = new Client({ token: "dev-token", devMode: true });
+
+export const GET = async (request: Request) => {
+  const origin = new URL(request.url).origin;
+  const { messageId } = await client.publishJSON({
+    url: `${origin}/dev/receive`,
+    body: { hello: "from /dev/send" },
+  });
+  return NextResponse.json({ ok: true, messageId });
+};

examples/nextjs/app/dev/send/route.ts

@@ -1,7 +1,7 @@
-import { NextRequest, NextResponse } from "next/server";
+import { NextResponse } from "next/server";
 import { verifySignatureAppRouter } from "@upstash/qstash/nextjs";
 
-async function handler(_req: NextRequest) {
+async function handler(_req: Request) {
   // simulate work
   await new Promise((r) => setTimeout(r, 1000));
 

examples/nextjs/app/edge/route.ts

@@ -1,7 +1,7 @@
-import { verifySignatureAppRouter } from "@upstash/qstash/dist/nextjs";
-import { NextRequest, NextResponse } from "next/server";
+import { verifySignatureAppRouter } from "@upstash/qstash/nextjs";
+import { NextResponse } from "next/server";
 
-async function handler(_req: NextRequest) {
+async function handler(_req: Request) {
   // simulate work
   await new Promise((r) => setTimeout(r, 1000));
 

examples/nextjs/app/serverless/route.ts

@@ -0,0 +1,45 @@
+import { test, expect } from "bun:test";
+
+// Hits the /dev routes which use devMode: true. That triggers the qstash
+// CLI dev server to spawn inside the Next.js process. Run after starting the
+// example with `bun dev`. Also runs in CI via the nextjs-local-build job.
+const deploymentURL = process.env.DEPLOYMENT_URL;
+if (!deploymentURL) {
+  throw new Error("DEPLOYMENT_URL not set");
+}
+
+test("/dev publishes via dev server", async () => {
+  const res = await fetch(`${deploymentURL}/dev`);
+  if (res.status !== 200) console.log(await res.text());
+  expect(res.status).toBe(200);
+
+  const body = (await res.json()) as { ok: boolean; messageId?: string };
+  expect(body.ok).toBe(true);
+  expect(body.messageId).toBeTruthy();
+}, 60_000);
+
+test("/dev/send → /dev/receive round trip with signature verification", async () => {
+  const sendRes = await fetch(`${deploymentURL}/dev/send`);
+  expect(sendRes.status).toBe(200);
+  const { messageId } = (await sendRes.json()) as { messageId: string };
+  expect(messageId).toBeTruthy();
+
+  // Dev server delivers asynchronously; poll the receive route for arrival.
+  const deadline = Date.now() + 10_000;
+  while (Date.now() < deadline) {
+    const checkRes = await fetch(`${deploymentURL}/dev/receive?check=${messageId}`);
+    const { received } = (await checkRes.json()) as { received: boolean };
+    if (received) return;
+    await Bun.sleep(250);
+  }
+  throw new Error(`message ${messageId} never delivered to /dev/receive within 10s`);
+}, 60_000);
+
+test("/dev/receive rejects unsigned requests", async () => {
+  const res = await fetch(`${deploymentURL}/dev/receive`, {
+    method: "POST",
+    body: JSON.stringify({ hello: "no signature" }),
+  });
+  // verifySignatureAppRouter returns 403 when the signature header is missing.
+  expect(res.status).toBe(403);
+});