Effect's fiber scheduler was resuming work from multiple requests under the same AsyncLocalStorage context, causing auth state and request headers to bleed across concurrent requests—patch immediately if using Clerk or Next.js request APIs.
Summary
Under production load, your auth checks could return the wrong user session or read cookies from in-flight requests. The bug is intermittent and hard to catch in testing, making it a silent security risk in any Effect app using AsyncLocalStorage-backed libraries like Clerk or Next.js App Router.
Why it matters
Under production load, your auth checks could return the wrong user session or read cookies from in-flight requests. The bug is intermittent and hard to catch in testing, making it a silent security risk in any Effect app using AsyncLocalStorage-backed libraries like Clerk or Next.js App Router.
Implementation verdict
Mandatory upgrade. Effect ≤3.19.15 + concurrent requests + AsyncLocalStorage (Clerk, Next.js cookies/headers) = request context mixing. Upgrade to effect@3.20.0 immediately. No configuration needed—the scheduler fix is automatic. If you can't upgrade immediately, extract AsyncLocalStorage values before entering the Effect runtime and pass them explicitly, but this is a workaround only.
Sources
Dev Signal
Get briefs like this in your inbox — free, 3x a week.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.