next-mdx-remote v6 blockJS Default Broke MDX Components

Upgrading to next-mdx-remote v6 silently stripped all array and object literal props from JSX components in MDX. StepList, Checklist, and LessonObjectives rendered empty. Resolved in 41 minutes.

May 12, 2026· 11 min read· Next.js 15 · next-mdx-remote · Vercel · TypeScript

#next-mdx-remote #mdx #jsx #upgrade #vercel #dependency

ShareX LinkedIn

Generate post copy →

INC-002MediumResolvedDependency Issue

2026-05-12

ai-execution-lab

Impact

All MDX components using array or object literal props rendered empty after upgrading next-mdx-remote from v5 to v6. StepList, Checklist, and LessonObjectives showed wrapper shells and headings but no content items. No build error, no TypeScript error — the failure was completely silent at compile time. Only visible via browser inspection.

Affected: All MDX content pages — StepList, Checklist, LessonObjectives, ValidationPipeline

Time to resolve: 41 minutes

Root Cause

next-mdx-remote v6 introduced blockJS: true as a new default. This activates the removeJavaScriptExpressions remark plugin during MDX serialization, which strips all JavaScript expressions from MDX source — including array and object literals used as JSX props. Components receiving items={['a', 'b']} got undefined instead of the array. The change shipped as opt-out rather than opt-in.

Resolution

Set blockJS: false in the MDXRemote options object inside content-renderer.tsx. One line. MDX on this platform is author-controlled static content, not user-submitted input — the JavaScript expression restriction provides no security value here and breaks all components using structured props.

Prevention Pattern

When upgrading MDX-related packages: read the full changelog before deploying, test all custom components with real MDX content in a staging environment, and look specifically for new boolean options that default to restrictive behavior. For next-mdx-remote, explicitly set blockJS: false in all author-controlled contexts and document why at the call site.

What Happened

Upgraded next-mdx-remote from v5 to v6 as part of a routine dependency update pass. The build compiled without errors. TypeScript passed. Vercel deployed the build successfully.

Then I opened a lesson page and saw that every <StepList> and <Checklist> component was rendering its wrapper shell but had no items inside. <LessonObjectives> showed the "What you'll build" header with an empty list below it. <ValidationPipeline> rendered the container div but nothing in it.

The symptom was visually obvious but the cause was completely non-obvious — because the build gave no indication anything was wrong.

The v6 Change

next-mdx-remote v6 added a blockJS option. In v6, it defaults to true.

When blockJS: true is active, the removeJavaScriptExpressions remark plugin runs during MDX serialization. This plugin strips all JavaScript expression nodes from the MDX AST before rendering, including:

Array literals: items={['step one', 'step two', 'step three']}
Object literals: config={{ theme: 'dark', compact: true }}
Any JS expression: count={items.length}, active={index === selected}

The rationale in the v6 release notes: safety for platforms that process user-submitted MDX. If untrusted users can write MDX, you don't want arbitrary JavaScript executing. That's a legitimate security boundary for those use cases — a CMS or forum where users can write MDX content.

For a static site where the MDX is written by the developer and committed to a private repository, this restriction does nothing useful and silently breaks any component with structured props.

Debugging Path

The silent failure made this more expensive to diagnose than a build error would have been. The components rendered — they just rendered empty. No exception, no console warning, no TypeScript error. The serialized MDX output was syntactically valid; it just had the prop values removed.

Step 1 — Inspect the component. Traced through StepList.tsx. The items prop was undefined inside the component. Not an empty array — undefined. The component was being called but receiving nothing.

Step 2 — Inspect the serialized MDX. Added temporary logging to the compileMDX call in content-renderer.tsx to print the serialized output. The JSX component tags were present in the output but the prop values were gone. <StepList items={undefined}> instead of <StepList items={['a','b','c']}>.

Step 3 — Check the changelog. Found blockJS in the next-mdx-remote v6 release notes:

blockJS — Defaults to true for security. Set to false if your MDX content is trusted author-controlled content.

One option change, one default flip, no migration guide callout. 41 minutes of diagnostic work on what turned out to be a single-line fix.

⚠Why this class of failure is hard to catch

The failure signature — components that render shell structure but no content — looks like a data loading issue, not a build issue. First instinct is to check the MDX files and the component props. The serialization layer is further down the stack and easy to overlook when the build and TypeScript both report clean.

ℹThe fix — one line in content-renderer.tsx

TypeScript

const { content } = await compileMDX({
  source,
  components: allComponents,
  options: {
    parseFrontmatter: true,
    // next-mdx-remote v6 defaults blockJS: true, which runs
    // removeJavaScriptExpressions and strips all array/object
    // literal props from JSX. Our MDX is author-controlled
    // static content — opt out of this restriction explicitly.
    blockJS: false,
  },
})

Documenting the why at the call site prevents this from being "fixed" by a future developer who sees an unfamiliar option and removes it.

Execution Evidence

⬡

Built from real execution

Documented from the production deployment of ai-execution-lab on Vercel. Screenshots taken from the Vercel dashboard and live platform immediately following incident resolution on 2026-05-12.

2026-05-12commit fix: set blockJS false in MDXRemote options for v6 compat

Build Record

The following reconstructs the relevant Vercel build sequence. The initial deployment post-upgrade completed successfully — the failure only surfaces at render time, not compile time.

Vercel Build — next-mdx-remote v6 upgrade

✕ Failed

[ ▶ ]Cloning repository: asquaresolutions-beep/ai-execution-lab

[ ▶ ]Installing dependencies via node

[ OK ]Installed next-mdx-remote@6.0.0 (was 5.3.0)

[ ▶ ]Running next build

[ OK ]Compiled successfully in 12.1s

[ ▶ ]Linting and checking validity of types...

[ OK ]TypeScript: no errors found

[ ▶ ]Generating static pages (0/99)

[ OK ]Generated static pages (99/99)

[INFO ]Build complete — deployed to production

[WARN ]POST-DEPLOY: MDX components render empty — items prop undefined in StepList, Checklist, LessonObjectives

[ERROR]Root cause: blockJS: true (v6 default) stripping array/object JSX props via removeJavaScriptExpressions

[ ▶ ]Fix: content-renderer.tsx — set blockJS: false in compileMDX options

[ OK ]Recovery build deployed — all MDX components rendering correctly

Deployment Recovery

The before/after shows the Vercel dashboard state: the build failure investigation on the left, all deployments restored to production-ready status on the right.

Screenshot Evidence

Full resolution screenshots from the incident. Click any image to expand. Use arrow keys to navigate.

Why Silent Failures Are Worse

A build error would have caught this at deploy time. Instead the failure path was:

Build compiled without errors
TypeScript type check passed
Deployment completed to production
All pages returned HTTP 200
Component content was simply missing

This class of failure — a default behavioral change that produces syntactically valid but semantically empty output — requires visual inspection to catch. Standard automated checks miss it entirely:

Build status check — passes (build succeeded)
HTTP smoke test — passes (pages return 200)
TypeScript — passes (components accept undefined if not typed strictly)
Lighthouse — passes (HTML structure present, no errors)

Only a human looking at a rendered page would notice that <StepList> has no steps. Or a test that asserts on rendered content rather than HTTP status. Visual regression testing would catch it; most CI pipelines don't run it.

Recovery Timeline

Deployed v6 upgrade

Critical

Routine dependency update. next-mdx-remote 5 → 6. Build succeeded, TypeScript clean, deployed to Vercel production.

Identified empty components

Critical

Opened a lesson page. StepList, Checklist, and LessonObjectives rendered wrapper elements but no content. No console errors.

Traced to undefined props

Gate

Added temporary logging to the compiled MDX output. Confirmed that array and object literal props were missing from the serialized component calls. Props were undefined at render time.

Located the changelog entry

Gate

Searched next-mdx-remote v6 release notes for breaking changes. Found blockJS: true as the new default with opt-out instructions.

Applied fix

Verified

Added blockJS: false to compileMDX options in content-renderer.tsx with explanatory comment. One line change.

Recovery build deployed

Verified

Pushed fix, monitored Vercel build, verified all MDX components rendering with real content. Platform fully operational.

Lessons Learned

⚠Why next-mdx-remote v6 broke components

The v6 blockJS change was not a bug — it was a deliberate, documented security feature for platforms that serve user-submitted MDX. It shipped as opt-out rather than opt-in, which means any existing codebase upgrading from v5 inherits the restriction silently. The failure only manifests at render time, not at build time, because the serialization step produces syntactically valid JSX — just with stripped prop values.

Key pattern: Any library that processes developer-authored content with a new default restriction should ship the restriction as opt-in, not opt-out. The inverse — shipping security defaults that break existing behavior — requires a migration guide and a major-version callout, not just a changelog note.

ℹHow Vercel surfaced the issue

Vercel did not surface this failure proactively — the build completed with a success status. The production deployment went live. The platform reported no errors. This is correct behavior: Vercel cannot know that rendered content is semantically empty versus intentionally empty. The only signal was visual — opening a page and observing missing content.

Key pattern: Build system health and application correctness are different. A green build is a necessary condition for a working application; it is not sufficient. Visual inspection of rendered output after dependency upgrades is not optional.

✓Why blockJS: false fixed the execution path

Setting blockJS: false disables the removeJavaScriptExpressions remark plugin in the MDX serialization pipeline. With the plugin off, array and object literals in JSX props are preserved in the compiled output. items={['step one', 'step two']} reaches the component as an actual array. The fix is surgical — it doesn't change how MDX is processed in any other way, and it explicitly documents at the call site why the opt-out is intentional.

The security concern blockJS addresses — arbitrary JavaScript execution from untrusted MDX authors — does not apply here. All MDX on this platform is written by the developer, committed to a private repository, and built at deploy time. There is no user-submitted MDX surface.

⬡Why evidence-backed documentation matters

This incident report exists because silent failures are the hardest to diagnose the second time. Without documentation, this failure pattern repeats — a future developer sees blockJS: false in the config, doesn't know why it's there, removes it as dead code, and triggers the exact same 41-minute debugging session.

The screenshots provide proof that the incident is real and the resolution was verified in production — not reconstructed from memory or extrapolated from the changelog. Evidence-backed documentation is specifically useful for failure modes that leave no build artifact: no error log, no failed deployment, just empty components on a green build.

Prevention Pattern

After any MDX-related package upgrade:

Render a full test pass — open a page with every custom component type before considering the deploy complete
Verify array and object props — specifically check any component that uses items={[...]} or config objects
Read the full changelog — not just the headline version number; look for new options that default to restrictive behavior
Explicitly document opt-outs — when you set a security option to false, write the reason at the call site so future developers understand it was intentional

For next-mdx-remote specifically: if your MDX is author-controlled and committed to a private repository, always set blockJS: false explicitly. The behavior should be documented, not inherited from a default that can change across versions.

Related in Failure Archive

Edge Runtime Deployment Failure

export const runtime = 'edge' in app/opengraph-image.tsx blocked the entire Vercel deployment. Took 23 minutes to identify and revert.

2026-05-10→

Node.js fs Module Pulled into Client Bundle

lib/tracks.ts imported fs and path at the top level. track-roadmap.tsx (a 'use client' component) imported from lib/tracks.ts, pulling Node.js modules into the browser bundle. Build failed with Module not found: Can't resolve 'fs'.

2026-05-14→

All Failure Archive