diff --git a/packages/vinext/src/shims/link.tsx b/packages/vinext/src/shims/link.tsx
index 4ee80087..da5821c3 100644
--- a/packages/vinext/src/shims/link.tsx
+++ b/packages/vinext/src/shims/link.tsx
@@ -280,19 +280,15 @@ const Link = forwardRef<HTMLAnchorElement, LinkProps>(function Link(
   // where href is a route pattern like "/user/[id]" and as is "/user/1")
   const resolvedHref = as ?? resolveHref(href);
 
-  // Block dangerous URI schemes (javascript:, data:, vbscript:).
-  // Render an inert <a> without href to prevent XSS while preserving
-  // styling and attributes like className, id, aria-*.
-  if (typeof resolvedHref === "string" && isDangerousScheme(resolvedHref)) {
-    if (process.env.NODE_ENV !== "production") {
-      console.warn(`<Link> blocked dangerous href: ${resolvedHref}`);
-    }
-    const { passHref: _p, ...safeProps } = restWithoutLocale;
-    return <a {...safeProps}>{children}</a>;
-  }
-
-  // Apply locale prefix if specified
-  const localizedHref = applyLocaleToHref(resolvedHref, locale);
+  const isDangerous =
+    typeof resolvedHref === "string" && isDangerousScheme(resolvedHref);
+
+  // Apply locale prefix if specified (safe even for dangerous hrefs since we
+  // won't use the result when isDangerous is true)
+  const localizedHref = applyLocaleToHref(
+    isDangerous ? "/" : resolvedHref,
+    locale,
+  );
   // Full href with basePath for browser URLs and fetches
   const fullHref = withBasePath(localizedHref);
 
@@ -307,7 +303,7 @@ const Link = forwardRef<HTMLAnchorElement, LinkProps>(function Link(
   // Prefetching: observe the element when it enters the viewport.
   // prefetch={false} disables, prefetch={true} or undefined/null (default) enables.
   const internalRef = useRef<HTMLAnchorElement | null>(null);
-  const shouldPrefetch = prefetchProp !== false;
+  const shouldPrefetch = prefetchProp !== false && !isDangerous;
 
   const setRefs = useCallback(
     (node: HTMLAnchorElement | null) => {
@@ -474,6 +470,17 @@ const Link = forwardRef<HTMLAnchorElement, LinkProps>(function Link(
 
   const linkStatusValue = React.useMemo(() => ({ pending }), [pending]);
 
+  // Block dangerous URI schemes (javascript:, data:, vbscript:).
+  // Render an inert <a> without href to prevent XSS while preserving
+  // styling and attributes like className, id, aria-*.
+  // This check is placed after all hooks to satisfy the Rules of Hooks.
+  if (isDangerous) {
+    if (process.env.NODE_ENV !== "production") {
+      console.warn(`<Link> blocked dangerous href: ${resolvedHref}`);
+    }
+    return <a {...anchorProps}>{children}</a>;
+  }
+
   return (
     <LinkStatusContext.Provider value={linkStatusValue}>
       <a ref={setRefs} href={fullHref} onClick={handleClick} {...anchorProps}>
diff --git a/packages/vinext/src/shims/script.tsx b/packages/vinext/src/shims/script.tsx
index 3745191e..a50b0b1d 100644
--- a/packages/vinext/src/shims/script.tsx
+++ b/packages/vinext/src/shims/script.tsx
@@ -107,26 +107,10 @@ function Script(props: ScriptProps): React.ReactElement | null {
   } = props;
 
   const hasMounted = useRef(false);
-
-  // SSR path: only "beforeInteractive" renders a <script> tag server-side
-  if (typeof window === "undefined") {
-    if (strategy === "beforeInteractive") {
-      const scriptProps: Record<string, unknown> = { ...rest };
-      if (src) scriptProps.src = src;
-      if (id) scriptProps.id = id;
-      if (dangerouslySetInnerHTML) {
-        scriptProps.dangerouslySetInnerHTML = dangerouslySetInnerHTML;
-      }
-      return React.createElement("script", scriptProps, children);
-    }
-    // Other strategies don't render during SSR
-    return null;
-  }
-
   const key = id ?? src ?? "";
 
-  // Client path: load scripts via useEffect based on strategy
-  // eslint-disable-next-line react-hooks/rules-of-hooks
+  // Client path: load scripts via useEffect based on strategy.
+  // useEffect never runs during SSR, so it's safe to call unconditionally.
   useEffect(() => {
     if (hasMounted.current) return;
     hasMounted.current = true;
@@ -203,6 +187,21 @@ function Script(props: ScriptProps): React.ReactElement | null {
     }
   }, [src, id, strategy, onLoad, onReady, onError, children, dangerouslySetInnerHTML, key, rest]);
 
+  // SSR path: only "beforeInteractive" renders a <script> tag server-side
+  if (typeof window === "undefined") {
+    if (strategy === "beforeInteractive") {
+      const scriptProps: Record<string, unknown> = { ...rest };
+      if (src) scriptProps.src = src;
+      if (id) scriptProps.id = id;
+      if (dangerouslySetInnerHTML) {
+        scriptProps.dangerouslySetInnerHTML = dangerouslySetInnerHTML;
+      }
+      return React.createElement("script", scriptProps, children);
+    }
+    // Other strategies don't render during SSR
+    return null;
+  }
+
   // The component itself renders nothing — scripts are injected imperatively
   return null;
 }