DEV Community

Prince
Prince

Posted on • Originally published at kostra.io

Top Next.js Boilerplates on GitHub: What Changed in 2026?

The vast majority of guides on "the best boilerplate" usually discuss the same repositories in identical words. But not this one.

The environment underwent some critical changes from October 2025 until June 2026. These include Next.js 16 and AI tooling, the complete removal of the middleware approach, the introduction of Cache Components and Turbopack bundling, and Tailwind CSS v4.

It is worth describing how the environment has changed since then, what implications it had on boilerplates, which ones managed to keep up with the trends and which are the best today.

What Changed in the Next.js Ecosystem in 2025-2026
That year, in particular, from June 2025 to July 2026, was one of the most eventful in terms of introducing breaking changes. Here is what happened at once during those two years:

Next.js 16 (October 2025): introduction of Cache Components, removal of middleware.ts, introduction of proxy.ts, and Turbopack as a development and production bundler. Next.js 16.1 (December 2025): turbopack file system caching. Next.js 16.2 (March 2026): stabilisation of the build Adapters API and AI tooling.

Tailwind CSS v4 (January 2025) total removal of tailwind.config.js in favour of CSS-first themes. The PostCSS configuration has been updated. Several utility classes' names were renamed. There is a high chance that a boilerplate that has not been migrated to the new version by now still uses outdated configuration.

Auth.js v5 has updated the mechanism for handling sessions in middleware.

React 19.2, which came with Next.js 16, has introduced the Activity component and useEffectEvent. It affects the way developers manage component visibility and effect dependencies.

There is a problem for programmers who clone boilerplates from GitHub repositories since there could be a popular (5,000+ stars) repository that has not been updated in 18 months. This meant that developers ended up with an outdated and potentially buggy codebase.

Next.js 16: What Boilerplates Had to Update
middleware.ts to proxy.ts
In Next.js 16, the proxy.ts was used instead of middleware.ts. The reason behind this change is that proxy.ts makes an application's network boundary clear. The move from middleware to proxy takes place both in a file name and in the exported function.

Thus, all boilerplates have had to migrate to this version in order to be compatible with Next.js 16.

Boilerplates that did not implement this migration will continue functioning with the previous Next.js, but any attempt to use Next.js 16 will cause malfunction or unexpected behaviour.

Cache Components and the use of the cache directive
Cache Components introduced a new approach in managing pages based on partial pre-rendering (PPR) and uses the cache directive. Thanks to this innovation, developers now have the ability to implement instant page navigation using just Cache Components.

Thus, if any boilerplate relied on experimental.ppr: true configuration, they would be using a non-existent configuration.

Development and Production Bundling with Turbopack
In Next.js 16, the bundling system was switched to Turbopack. During the MakerKit SaaS kit benchmark, it appeared that turbopack decreases the application development startup time from 1,083ms in Next.js 15 to 603ms. In terms of production bundling, Turbopack reduces building time almost five times down from 24.5s to 5.7s (Webpack vs. Turbopack).

Despite these impressive statistics, the move from the Webpack bundler did not require much effort from boilerplates. In fact, only some Webpack-related configuration had to be removed.

React Compiler (stable)
With the release of React compiler version 1.0, the compiler became stable. As a result, the reactCompiler configuration option appeared as well. It enables developers to memoise component rendering and avoid unnecessary re-renders. Again, there are no breaking changes here, but boilerplates willing to use this option need to put reactCompiler: true in their configuration.

Moreover, boilerplates with complex component hierarchy have greatly benefited from this change.

Next.js 16.2: AI tooling and the Adapter API
Stable Adapter API has enabled developers to take advantage of approximately 400% faster startup of the next dev command. Apart from that, developers can enjoy several AI features such as browser log forwarding and dev server lock file.

When it comes to boilerplates, having a stable Adapter API plays an important part for developers who do not host their applications on Vercel, since it means that now they have the possibility of deploying projects to AWS, Cloudflare or even open-source infrastructure via OpenNext.

Security Advisories in Next.js 16
Next.js 16 brought several security advisories with it in December 2025. Those are the following:

CVE-2025-66478 (CVSS 10.0 – Remote code execution in React Server Components), CVE-2025-55184 (Denial-of-service vulnerability) and CVE-2025-55183 (source code exposure vulnerability).

All Next.js versions 13.x, 14.x, 15.x, and 16.x should be prioritised for updating.

Breaking Changes in Tailwind CSS v4 - The Change Most Tailwind Guides Don't Explain Well
With Tailwind CSS v4 launched in January 2025, this isn't any more just another version. Tailwind CSS has changed its approach completely with v4.

What really happened
The tailwind.config.js file you have customised so extensively for all those months? It's not there anymore. The content array too? It doesn't exist anymore. And, what about the entire process of Tailwind with the use of PostCSS and its three separate configurations? Well, those are gone too!

To put it simply, you will now store your design tokens directly within your CSS file. And yes, it means the end of @​tailwind base/components/utilities, and you need to replace it with @​import "tailwindcss" instead.

/* Before (Tailwind v3) */

@​tailwind base;

@​tailwind components;

@​tailwind utilities;

/* After (Tailwind v4) */

@​import "tailwindcss";

@​theme {

--color-brand: oklch(62% 0.19 264);

--font-sans: "Inter", sans-serif;

}

The three biggest breaking changes are the shift from JavaScript configuration to CSS-first @​theme configuration, the replacement of @​tailwind directives with @​import "tailwindcss", and the removal of the tailwindcss PostCSS plugin in favor of @​tailwindcss/postcss.

Build speed gains
The problem of migration is a problem. But this change is well worth its weight in gold when it comes to performance gain. Build speed improvement varies from 3 to 10 times faster for a complete build and 100x for an incremental build. Sub-millisecond hot module reload on every single save counts a lot.

What this means for boilerplates
All those boilerplates that continue offering you tailwind.config.js in 2026 have not migrated to Tailwind v4 yet. Not because this version does not work (as it does), but rather because the configuration you start your project with is outdated and will eventually need an update.

Boilerplates that kept up with this update: Ixartz Next.js Boilerplate, Blazity next-enterprise and Kostra, all have migrated to Tailwind v4. This can be seen in the README files, where "Tailwind CSS 4" is mentioned as one of the technology stacks used in Ixartz Boilerplate. While in Blazity Next.js Enterprise Boilerplate "Tailwind CSS v4". All other boilerplates not mentioning the update use Tailwind CSS v3.

How AI Tooling Changed the Boilerplate Landscape
One of the least publicized developments of the past two years has been the emergence of AI coding tools.

AGENTS.md and Cursor rules files
Starting October 2025 (Next.js 16.2), the boilerplate scaffolding provided by create-next-app acquired new features compatible with AI coders, including the AGENTS.md file, which explains the project structure to the AI coder. Several boilerplates took advantage of the update, including MakerKit, which included the AGENTS.md file, Cursor rules, and an MCP server for AI programming purposes.

The ixartz Next.js boilerplate added AI code review through CodeRabbit.

Developers using coding assistants like Cursor, GitHub Copilot, or Claude Code are provided with a lot of help if boilerplates include documentation explaining the conventions used – such documentation is the purpose of AGENTS.md and the Cursor rules file.

Next.js DevTools MCP
Next.js 16 introduced Next.js DevTools MCP that brings Model Context Protocol to assist in debugging applications using AI agents. This functionality helps AI agents detect bugs in the code and explain them.

Boilerplates supporting such debug processes with documentation and tooling help developers using AI tools work more effectively.

Security tooling: Arcjet
Another tool added to the stack of several leading boilerplates was Arcjet, which is security software capable of detecting bots, implementing rate-limiting measures, and mitigating attacks in the middleware level. ixartz Next.js boilerplate has acquired Arcjet as part of its security stack in 2025. This update may be insignificant from PR standpoint, yet it significantly strengthens the security posture of all projects created with the aid of this boilerplate.

Which Next.js Boilerplates Kept Up on GitHub
What Next.js boilerplates remained relevant in 2025-2026? Here is an assessment of the status of these projects in terms of the latest technology developments.

ixartz/Next-js-Boilerplate
Status: Updated and actively maintained

The latest version includes Next.js 16, TypeScript, Tailwind CSS 4, Drizzle ORM, Clerk authentication, Prettier, Lefthook (replacing Husky), Vitest (replacing Jest), Playwright, Commitlint, LogTape (replacing Pino.js), Sentry, multilingualization, CodeRabbit and Arcjet as security and bug detection tools.

Some dependencies have been replaced within this free open-source project recently – Husky is swapped for Lefthook; Jest is replaced with Vitest; and LogTape replaces Pino.js. Regular replacement of dependencies in an open-source project is rather unusual.

Useful for: developers requiring a recent free general-purpose boilerplate.
Github: github.com/ixartz/Next-js-Boilerplate

Blazity/next-enterprise
Status: Updated and actively maintained

Next.js 15, Tailwind CSS v4, ESLint 9, Prettier, strict TypeScript with ts-reset, GitHub Actions with bundle-size and performance tracking, Vitest and Playwright testing utilities, Storybook, Terraform-based AWS infrastructure and Renovate Bot for automated dependency management.

One of the few boilerplates that offers infrastructure-as-code through Terraform, as well as built-in OpenTelemetry observability capabilities. Supported and maintained by Blazity (Next.js consultancy firm) it thus has an extra motivation to remain relevant.

Good for: enterprise-level developers requiring CI/CD and observability out-of-the-box. GitHub: github.com/Blazity/next-enterprise

ixartz/SaaS-Boilerplate
Status: Updated and actively maintained

A SaaS-specific version of the generic boilerplate. Features: multitenancy, RBAC, Clerk authentication, Stripe billing, multilingualization, Shadcn UI, Drizzle ORM, testing utilities, Sentry monitoring. Updated together with Next.js Boilerplate.

One of the most starred free SaaS-specific boilerplates available on GitHub.

Best for: SaaS developers building multi-tenant projects and in search of the most advanced free boilerplate.
GitHub: github.com/ixartz/SaaS-Boilerplate

nextjs/saas-starter (Vercel's official starter)
Status: Updated, minimal by design

Official solution from the Next.js team. Being official, it is guaranteed to track Next.js versions at all times. Uses Next.js, Postgres, Stripe, and Shadcn UI. Minimalistic intentionally. Good for educational purposes and as a reference solution.

Best for: developers looking to build a reference solution.
GitHub: github.com/nextjs/saas-starter

boxyhq/saas-starter-kit
Status: Maintained, enterprise-focused

A SaaS project with a focus on enterprise-level security-related functions such as SAML single sign-on (SSO), directory integration, audit logging, and team management. Consult the Git commit history to check whether Next.js updates are followed. As enterprise compliance doesn't evolve as fast as other technologies in the stack, it is allowed to evolve slowly.

Good for: enterprise B2B SaaS with a need for SAML and compliance features.
GitHub: github.com/boxyhq/saas-starter-kit

Kostra
Status: Paid, actively maintained

Paid Next.js SaaS boilerplate suitable for teams building production-ready applications. Features: multitenancy, authentication, billing, authorisation.
Paid status provides financial motivation to update and maintain this boilerplate. Updated for Next.js 16 and Tailwind CSS 4.

Best for: product teams needing a solution that has been updated and documented rather than forked from GitHub and prayed over.

Projects that fell behind
By checking the commit histories, one can easily identify those projects with many stars at the end of 2023 / beginning of 2024 which haven't had a commit in more than a year. Such projects would be:

Still using middleware.ts instead of proxy.ts

Still shipping tailwind.config.js for v3

Potentially running unpatched security vulnerabilities from the December 2025 CVEs

Using deprecated experimental flags that were removed in Next.js 16

A star count doesn't tell us anything about currency: if we take a 6,000-stars boilerplate project not updated since January 2025, it runs code written before any development mentioned in this article.

How to Evaluate a Boilerplate's Update Status Right Now
Before cloning anything, run this five-step check.

  1. Check the last commit date
    On GitHub, the repo homepage shows the time since the last commit. Anything older than three months in this ecosystem deserves scrutiny. Older than six months is a red flag.

  2. Check the Next.js version in package.json
    Open the raw package.json in the repo. Find the next version. Anything below 16.x is not tracking the current release. Below 15.x and you're looking at a significantly outdated starting point.

  3. Look for proxy.ts, not middleware.ts
    A quick search of the repo for middleware.ts tells you whether it's been migrated to Next.js 16. If middleware.ts exists and proxy.ts does not, the boilerplate has not been updated for Next.js 16.

  4. Check the Tailwind version and config
    Look for tailwind.config.js in the root. If it's there, the boilerplate is on Tailwind v3. Look at the CSS imports in the globals.css file. @​import "tailwindcss" means v4. @​tailwind base means v3.

  5. Check for recent security patches
    If the boilerplate pins an exact Next.js version (e.g., "next": "16.0.1"), check whether that version predates the December 2025 security patches. Any version below 16.0.4 is running with known critical vulnerabilities.

Which Next.js Boilerplate Is Best for SaaS (Free or Paid)?
Taking the upcoming update considerations into account, the following suggestions are made from an honest perspective.

Best free option: ixartz SaaS Boilerplate
It's arguably the most updated free SaaS Next.js boilerplate available at the moment, with its development being actively supported. It is updated to version 16 of Next.js and Tailwind v4. Besides the multi-tenancy, RBAC features, Clerk authentication, integration with Stripe and full testing suite, there's really little it lacks.

Best minimal free option: Vercel Next.js SaaS Starter
Since Vercel actively develops this boilerplate along with the framework itself, you're guaranteed up-to-date content. Minimalistic by nature, but useful for studying the patterns nevertheless.

Best paid option: Kostra
This option is especially good for those who intend to build their SaaS application. With the paid structure being in place, maintenance becomes financially viable. This ensures continuous updates, documentation, security and other benefits.

Conclusion (the honest one)
Free boilerplates that are actively maintained work well. The risk with free is that maintenance depends entirely on the maintainer's time and interest. Paid boilerplates have financial incentive to stay current. That alignment matters more now that the ecosystem is moving this fast.

What Is the Best Next.js Boilerplate with Auth in 2026?
Authentication code underwent some significant changes in 2025-2026.

Auth.js (formerly NextAuth) v5
Changes include the session API, middleware hooks, and how providers are set up. Those using old Auth.js v4 are working with an outdated API that differs more and more from the official documentation.

The Vercel Next.js SaaS Starter template uses Auth.js v5 and thus provides the canonical example of how Auth.js should be used in production projects.

Clerk
Clerk emerged as the de facto hosted authentication system for boilerplates in 2025-2026. The ixartz general and SaaS boilerplates use Clerk; ShipFast uses Clerk too. Pros: you don't need to worry about MFA or device sessions or UI or bots, Clerk does that out-of-the-box. Cons: your user data is stored with Clerk and there is an upper bound on the number of users on their free tier.

What to verify in any auth boilerplate
Does route protection run in proxy.ts (Next.js 16) not middleware.ts?
Is the auth library version current (Auth.js v5 or current Clerk SDK)?

Does email verification work end to end?
Does password reset send email correctly and update the session on completion?

Are OAuth account linking edge cases handled?
The ixartz Next.js Boilerplate with Clerk covers all of these criteria. So does the Vercel SaaS Starter with Auth.js v5.
What Does Reddit Actually Say About Next.js Boilerplates?
Reddit communities (r/nextjs, r/webdev, r/SaaS) offer the following opinions about using the Next.js boilerplate in 2025-2026 years.

Popular arguments against boilerplate (legitimate):
"This boilerplate becomes obsolete the minute after I cloned it." It may be true for many projects. To avoid problems, choose the boilerplate from its maintainer that follows all the Next.js versions carefully.
"I was spending more time on arguing with the architecture of the boilerplate than on developing my project." It happens when boilerplate makes decisions which do not align with the development. How to avoid? Read the codebase first!
"All free boilerplates are missing some vital features." True for almost all of them. In this case, you should consider paying ones.
Popular compliments for boilerplates:

The ixartz boilerplate regularly appears on discussions due to its active maintenance policy (it really follows Next.js versions).
Kostra boilerplate often gets mentioned because of its documentation quality. The problem with many free boilerplates is their readme file which helps get you started but does not provide any info about the reasons behind architectural decision-making. Kostra solves this issue.

What does the Reddit community say honestly?
Programmers who blindly follow stars count when making decisions experience difficulties. Programmers who carefully analyze the choice save their time.
Redditor's opinion about Next.js: use the boilerplate but make sure you made a correct choice. GitHub stars should not stand for anything other than stars count.

FAQs
Where can I find the best Next.js boilerplate on GitHub?
The GitHub topic nextjs-boilerplate filters by community tags. Sort by Most Stars as a starting signal, but also check the latest commit date. In 2026, some of the best free Next.js boilerplates are ixartz/Next-js-Boilerplate (general purpose), ixartz/SaaS-Boilerplate (specifically for SaaS apps), nextjs/saas-starter (minimal but official), and Blazity/next-enterprise (for enterprise applications). They all include updates for Next.js 16.

What is the best Next.js boilerplate with authentication in 2026?
The ixartz Next.js Boilerplate (free) uses Clerk and comes with the migration from middleware.ts to proxy.ts, for Next.js 16 support. The Vercel Next.js SaaS Starter includes Auth.js v5 and serves as the reference implementation for self-hosted authentication. Teams looking for hosted authentication with extra features like MFA, bot protection, or user management UI are better off with Clerk-based boilerplates.

What is the best Next.js boilerplate overall?
In 2026, the best answer depends on whether you mean free or paid. For free: ixartz Next.js Boilerplate, suitable for general projects, and ixartz SaaS Boilerplate, for SaaS projects. Both come on Next.js 16 and Tailwind v4. Kostra, on the other hand, is the best Next.js boilerplate for SaaS teams that will pay for it and don't mind a subscription. It's well-maintained and documented and supports enterprise features like CI/CD, Terraform infrastructure, and observability.

Which Next.js boilerplate should I use for SaaS?
It depends. Solo founders or small teams experimenting with new ideas: ixartz SaaS Boilerplate (free) provides you with everything you need: auth, billing, and multi-tenancy for free. Building a SaaS app to take to market: Kostra covers all of that too, with paid maintenance included and architecture well-documented. Needing B2B features, like SAML-based single sign-on: try BoxyHQ SaaS Starter Kit for those.

What is the ixartz Next.js Boilerplate?
The ixartz Next.js Boilerplate is an open-source starter maintained by developer Remi Weng. This is one of the best Next.js boilerplates available on GitHub. As of 2026, the boilerplate comes with Next.js 16, Tailwind CSS v4, Drizzle ORM, Clerk auth, Playwright, Vitest, Storybook, Sentry, LogTape, and Arcjet security. What makes it interesting? It's a good example of keeping up-to-date with a constantly evolving toolchain: Husky has been replaced with Lefthook, Jest with Vitest, and Pino.js with LogTape. The same developer creates the ixartz SaaS Boilerplate, an extended version featuring multi-tenancy, RBAC, and Stripe billing.

What is the best Next.js boilerplate for SaaS (free or paid)?
For free: the ixartz SaaS Boilerplate stands out with its rich feature set – multi-tenancy, Clerk auth, Stripe billing, i18n, Shadcn UI, and a robust testing pipeline, all based on Next.js 16. Kostra is our recommendation for paid boilerplates. If you're planning to build a production-grade SaaS app and need someone to keep track of things, it's what you should consider.

How do I know if a Next.js boilerplate is outdated?
First of all, check package.json for Next.js version. Anything lower than 16 is outdated. Then look inside the codebase for middleware.ts: if it's there and there's no proxy.ts, the boilerplate isn't migrated to Next.js 16 yet. Finally, check globals.css file for imports: either @​import "tailwindcss" (v4) or @​tailwind base (v3). And if the boilerplate still uses anything below Next.js 16 or Tailwind v4, it means that the boilerplate is outdated.

Top comments (0)