fix: complete CVE-2025-55182 security fix for React and Next.js

[devin-ai-integration]

Description

Updates all remaining vulnerable React and Next.js versions to address CVE-2025-55182, a critical security vulnerability in React Server Components.

This completes the fix started in PR #5387 which only updated React in demo and laboratory apps. The following updates are included:

• React 19.1.1 → 19.1.2 (28 packages/examples)
• React 19.2.0 → 19.2.1 (next-appkit-headless example)
• react-dom versions updated to match
• Next.js 15.3.5 → 15.3.6 (pay-test-exchange app)
• Next.js 15.6.0-canary.29 → 15.5.7 (laboratory app, next-appkit-headless example)

Reference: https://vercel.com/changelog/cve-2025-55182

Type of change

• Chore (non-breaking change that addresses non-functional tasks, maintenance, or code quality improvements)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Associated Issues

Addresses CVE-2025-55182

Human Review Checklist

• Verify the Next.js downgrade from 15.6.0-canary.29 to 15.5.7 doesn't break laboratory or next-appkit-headless functionality
• Confirm CI passes for all affected apps/examples
• Verify no vulnerable versions remain in the codebase

Checklist

• Code in this PR is covered by automated tests (Unit tests, E2E tests)
• My changes generate no new warnings
• I have reviewed my own code
• I have filled out all required sections
• I have tested my changes on the preview link
• Approver of this PR confirms that the changes are tested on the preview link

---

Link to Devin run: https://app.devin.ai/sessions/69dd50767d0740fcb79b75b91cc32b7b
Requested by: Ben Kremer (@bkrem)

[changeset-bot]

⚠️ No Changeset found

Latest commit: effa0ee

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
appkit-basic-html	Ready	Preview	Comment	Dec 4, 2025 5:27am
appkit-demo	Ready	Preview	Comment	Dec 4, 2025 5:27am
appkit-gallery	Ready	Preview	Comment	Dec 4, 2025 5:27am
appkit-headless-sample-app	Ready	Preview	Comment	Dec 4, 2025 5:27am
appkit-laboratory	Ready	Preview	Comment	Dec 4, 2025 5:27am

10 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
appkit-basic-example	Ignored			Dec 4, 2025 5:27am
appkit-basic-sign-client-example	Ignored			Dec 4, 2025 5:27am
appkit-basic-up-example	Ignored			Dec 4, 2025 5:27am
appkit-ethers5-bera	Ignored			Dec 4, 2025 5:27am
appkit-nansen-demo	Ignored			Dec 4, 2025 5:27am
appkit-vue-solana	Ignored			Dec 4, 2025 5:27am
appkit-wagmi-cdn-example	Ignored			Dec 4, 2025 5:27am
ethereum-provider-wagmi-example	Ignored			Dec 4, 2025 5:27am
next-wagmi-solana-bitcoin-example	Ignored			Dec 4, 2025 5:27am
vue-wagmi-example	Ignored			Dec 4, 2025 5:27am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​14.2.32
	@​reown/​appkit-adapter-ethers@​1.8.0
	@​reown/​appkit-adapter-solana@​1.8.0
	@​reown/​appkit-adapter-bitcoin@​1.8.0
	@​reown/​appkit-controllers@​1.8.0

View full report

[github-actions]

Visual Regression Test Results ✅ Passed

✨ No visual changes detected

Chromatic Build: https://www.chromatic.com/build?appId=6493191bf4b10fed8ca7353f&number=481
Storybook Preview: https://6493191bf4b10fed8ca7353f-sxqbmskaus.chromatic.com/

[github-actions]

📦 Bundle Size Check

✅ All bundles are within size limits

📊 View detailed bundle sizes

> @reown/appkit-monorepo@1.7.1 size /home/runner/work/appkit/appkit

> size-limit

@reown/appkit - Main Entry
Size limit:   80 kB
Size:         71.36 kB with all dependencies, minified and gzipped
Loading time: 1.4 s    on slow 3G
Running time: 696 ms   on Snapdragon 410
Total time:   2.1 s
@reown/appkit/react
Size limit:   230 kB
Size:         228.13 kB with all dependencies, minified and gzipped
Loading time: 4.5 s     on slow 3G
Running time: 1.5 s     on Snapdragon 410
Total time:   6 s
@reown/appkit/vue
Size limit:   80 kB
Size:         71.36 kB with all dependencies, minified and gzipped
Loading time: 1.4 s    on slow 3G
Running time: 619 ms   on Snapdragon 410
Total time:   2.1 s
@reown/appkit-scaffold-ui
Size limit:   220 kB
Size:         209.4 kB with all dependencies, minified and gzipped
Loading time: 4.1 s    on slow 3G
Running time: 897 ms   on Snapdragon 410
Total time:   5 s
@reown/appkit-ui
Size limit:   500 kB
Size:         13.15 kB with all dependencies, minified and gzipped
Loading time: 257 ms   on slow 3G
Running time: 66 ms    on Snapdragon 410
Total time:   323 ms

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	79.71%	38341 / 48097
🔵	Statements	79.71%	38341 / 48097
🔵	Functions	77.3%	4107 / 5313
🔵	Branches	86.62%	9304 / 10740

File Coverage

No changed files found.

Generated in workflow #16456 for commit effa0ee by the Vitest Coverage Report Action