[BUG] Skew protection: RSC requests to previous deployment failing with 404

[alex-all3dp]

Describe the bug

I am currently testing the new skew protection feature and followed the docs to set it up, incl. removing Durable Objects from our setup.

open-next config:

import {defineCloudflareConfig} from '@opennextjs/cloudflare'
import r2IncrementalCache from '@opennextjs/cloudflare/overrides/incremental-cache/r2-incremental-cache'
import {withRegionalCache} from '@opennextjs/cloudflare/overrides/incremental-cache/regional-cache'

const openNextConfig = {
  ...defineCloudflareConfig({
    incrementalCache: withRegionalCache(r2IncrementalCache, {
      mode: 'long-lived',
      shouldLazilyUpdateOnCacheHit: true,
    }),
  }),
  cloudflare: {
    skewProtection: {
      enabled: true,
      maxNumberOfVersions: 20, // Maximum number of previous versions to use.
      maxVersionAgeDays: 60, // Age of the oldest version to use (from the last deployment date)
    },
  },
}

export default openNextConfig

Wrangler config:

{
  "$schema": "../../node_modules/wrangler/config-schema.json",
  "main": "cf-worker-with-sentry.ts",
  "name": "${worker_name}",
  "compatibility_date": "2024-12-30",
  "compatibility_flags": ["nodejs_compat", "global_fetch_strictly_public"],
  "assets": {
    "directory": ".open-next/assets",
    "binding": "ASSETS",
    "run_worker_first": true
  },
  "services": [
    {
      "binding": "WORKER_SELF_REFERENCE",
      "service": "${worker_name}",
    },
  ],
  "r2_buckets": [
    {
      "binding": "NEXT_INC_CACHE_R2_BUCKET",
      "bucket_name": "${r2_bucket_name}",
    },
  ],
  "observability": {
    "logs": {
      "enabled": true,
    },
  },
  "vars": {
    "NODE_ENV": "production",
    "CF_WORKER_NAME": "${worker_name}",
    "CF_PREVIEW_DOMAIN": "${worker_preview_domain}",
    "CF_WORKERS_SCRIPTS_API_TOKEN": "${worker_scripts_api_token}",
    "CF_ACCOUNT_ID": "${cf_account_id}",
   ...
  },
  "routes": [
    {
      "pattern": "${worker_domain}",
      "custom_domain": true,
    },
  ],
}

I can see on the worker that the CF_DEPLOYMENT_MAPPING is created and contains two versions as expected:

{"dpl-md48caff":"current","dpl-md41i73x":"a62c9ed3-4efa-4f2d-b0e2-9a95a3746e82"}

However when the app with the old version requests rsc data for dpl-md41i73x the worker responds with 404.

I can also reproduce this with curl. Successful request to the current deployment:

> curl https://<host>/<path>?_rsc=1i88b -I -H "X-Deployment-Id: dpl-md48caff" -H "Rsc: 1"
HTTP/2 200
date: Tue, 15 Jul 2025 08:12:25 GMT
content-type: text/x-component
cache-control: max-age=0, s-maxage=31536000, must-revalidate
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch
cache-tag: staging-page
x-opennext: 1
server: cloudflare
cf-ray: 95f7cb6b8adc9c0c-FRA
alt-svc: h3=":443"; ma=86400

Failing request to the previous version:

> curl https://<host>/<path>?_rsc=1i88b -I -H "X-Deployment-Id: dpl-md41i73x" -H "Rsc: 1"
HTTP/2 404
date: Tue, 15 Jul 2025 08:12:43 GMT
content-type: text/html
cf-ray: 95f7cbdd3b06dc50-FRA
vary: Accept-Encoding
server: cloudflare
alt-svc: h3=":443"; ma=86400

Not sure if I am missing anything in my setup? The API token seems to work, since listing the versions in the mapping succeeds? When the preview domain setting was wrong, I could see error logs for failed fetch requests. With the correct preview domain there are no more error logs, only the 404 response from what I assume is the call to the workers.dev URL for that deployment. When trying to invoke the preview URL directly, I also get the 404 response.

Let me know if you need any additional info in order to figure this out.

Thank you for your support!

Steps to reproduce

1. Setup skew protection according to docs
2. Deploy initial version
3. Open tab with initial version
4. Deploy new version
5. Interact with tab with old version in a way that triggers rsc requests
6. Observe 404 responses

Expected behavior

Successful rsc responses to previous deployment

@opennextjs/cloudflare version

1.5.1

Wrangler version

4.24.3

next info output

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 23.6.0: Wed Jul 31 20:53:05 PDT 2024; root:xnu-10063.141.1.700.5~1/RELEASE_ARM64_T8112
  Available memory (MB): 16384
  Available CPU cores: 8
Binaries:
  Node: 22.17.0
  npm: 10.9.2
  Yarn: N/A
  pnpm: N/A
Relevant Packages:
  next: 15.3.4 // There is a newer version (15.4.1) available, upgrade recommended! 
  eslint-config-next: 15.3.4
  react: 19.1.0
  react-dom: 19.1.0
  typescript: 5.8.2
Next.js Config:
  output: N/A

Additional context

No response

[vicb]

Thanks for the issue and detailed description @alex-all3dp

Could you please try to attach a minimal repro (link to a GH repository).

[alex-all3dp]

@vicb I don't know if I can easily replicate our setup in a minimal repo. Do you have a minimal example that you use for testing this feature? Maybe that could help me to find any configuration differences. If you have such an example, do these RSCs requests to the old deployment work as expected?

[vicb]

You can try to start for any of the examples in this repo.

[alex-all3dp]

Ok. That's what I used initially but I will take a look again. So for you the requests worked as expected and were served from the previous deployment?

[alex-all3dp]

@vicb I looked through the examples and the original PR again and it seems there is no example in this repo where skewProtection is enabled? Would it be possible for you to share some version of what you used for testing this feature as an example in this repo?