Security: upgrade Next.js to fix critical RCE (GHSA-9qr9-h5gf-34mp)

[johnwaldo]

Summary

next@15.5.3 (pinned in package.json) is affected by a critical remote code execution vulnerability in the React flight protocol.

• Advisory: GHSA-9qr9-h5gf-34mp
• Severity: Critical (CVSS 9.1)
• Affected range: 10.0.0 - 15.5.9
• Fixed in: 15.5.10+

There are also 4 additional advisories affecting this version range (2 high, 2 moderate):

Advisory	Severity	Description
GHSA-mwv6-3258-q52c	High	DoS via Server Components
GHSA-h25m-26qc-wcjf	High	HTTP deserialization DoS
GHSA-w37m-7fhw-fmv9	Moderate	Server Actions source code exposure
GHSA-9g9p-9gw9-jx7f	Moderate	DoS via Image Optimizer

Fix

Bump next in package.json:

- "next": "15.5.3",
+ "next": "15.5.12",

Also bump eslint-config-next to match:

- "eslint-config-next": "15.5.3",
+ "eslint-config-next": "15.5.12",

This is a non-breaking patch release.

How I found this

Ran npm audit against the lockfile. The RCE is the only critical finding; the others are included for completeness since they're all resolved by the same version bump.

[johnwaldo]

@karthikscale3 — could you take a look at this when you get a chance? The Next.js RCE (GHSA-9qr9-h5gf-34mp, CVSS 9.1) is critical severity and the fix is a one-line patch version bump. Happy to submit a PR if that's easier.