fix: upgrade Next.js to patched versions for security (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)

[devin-ai-integration]

Description

Upgrades Next.js to patched versions across all apps and examples to address security vulnerabilities in React Server Components:

• CVE-2025-55183 (Medium): Source code exposure vulnerability
• CVE-2025-55184 (High): Denial of Service vulnerability
• CVE-2025-67779 (High): Complete DoS fix

Version updates:

• 14.2.32 → 14.2.35 (8 examples + demo app)
• 15.5.7 → 15.5.9 (laboratory, next-appkit-headless)
• 15.3.6 → 15.3.8 (pay-test-exchange)

Reference: https://nextjs.org/blog/security-update-2025-12-11

Type of change

• Chore (non-breaking change that addresses non-functional tasks, maintenance, or code quality improvements)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Associated Issues

Security advisory: https://nextjs.org/blog/security-update-2025-12-11

CI Notes

Some Playwright shards may fail with timeout errors in Firefox-specific e2e tests (siwx-email and smart-account tests). These appear to be pre-existing flaky tests involving external authentication services (Magic Link), not regressions from this security patch. All code-style checks, unit tests, and builds pass.

Review Checklist for Human

• Verify version numbers match the security advisory recommendations
• Confirm pnpm-lock.yaml is properly updated
• Check that no unintended changes were made beyond version bumps

Checklist

• Code in this PR is covered by automated tests (Unit tests, E2E tests)
• My changes generate no new warnings
• I have reviewed my own code
• I have filled out all required sections
• I have tested my changes on the preview link
• Approver of this PR confirms that the changes are tested on the preview link

Link to Devin run: https://app.devin.ai/sessions/390937b22ae54f33bf3cb9c7fd62b69e
Requested by: Ben Kremer (@bkrem)

[changeset-bot]

⚠️ No Changeset found

Latest commit: d7ee1f5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
appkit-basic-html	Ready	Preview	Comment	Dec 12, 2025 6:30am
appkit-demo	Ready	Preview	Comment	Dec 12, 2025 6:30am
appkit-gallery	Ready	Preview	Comment	Dec 12, 2025 6:30am
appkit-headless-sample-app	Ready	Preview	Comment	Dec 12, 2025 6:30am
appkit-laboratory	Ready	Preview	Comment	Dec 12, 2025 6:30am

10 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
appkit-basic-example	Ignored			Dec 12, 2025 6:30am
appkit-basic-sign-client-example	Ignored			Dec 12, 2025 6:30am
appkit-basic-up-example	Ignored			Dec 12, 2025 6:30am
appkit-ethers5-bera	Ignored			Dec 12, 2025 6:30am
appkit-nansen-demo	Ignored			Dec 12, 2025 6:30am
appkit-vue-solana	Ignored			Dec 12, 2025 6:30am
appkit-wagmi-cdn-example	Ignored			Dec 12, 2025 6:30am
ethereum-provider-wagmi-example	Ignored			Dec 12, 2025 6:30am
next-wagmi-solana-bitcoin-example	Ignored			Dec 12, 2025 6:30am
vue-wagmi-example	Ignored			Dec 12, 2025 6:30am

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​14.2.32 ⏵ 14.2.35	+19	+16	+6	+3	+31

View full report

[github-actions]

Visual Regression Test Results ✅ Passed

⚠️ 6 visual change(s) detected

Chromatic Build: https://www.chromatic.com/build?appId=6493191bf4b10fed8ca7353f&number=509
Storybook Preview: https://6493191bf4b10fed8ca7353f-dvkclzfsgb.chromatic.com/

👉 Please review the visual changes in Chromatic and accept or reject them.

[github-actions]

📦 Bundle Size Check

✅ All bundles are within size limits

📊 View detailed bundle sizes

> @reown/appkit-monorepo@1.7.1 size /home/runner/work/appkit/appkit

> size-limit

[baseline-browser-mapping] The data in this module is over two months old. To ensure accurate Baseline data, please update: npm i baseline-browser-mapping@latest -D

@reown/appkit - Main Entry
Size limit:   80 kB
Size:         73.96 kB with all dependencies, minified and gzipped
Loading time: 1.5 s    on slow 3G
Running time: 621 ms   on Snapdragon 410
Total time:   2.1 s
@reown/appkit/react
Size limit:   230 kB
Size:         228.99 kB with all dependencies, minified and gzipped
Loading time: 4.5 s     on slow 3G
Running time: 840 ms    on Snapdragon 410
Total time:   5.4 s
@reown/appkit/vue
Size limit:   80 kB
Size:         73.96 kB with all dependencies, minified and gzipped
Loading time: 1.5 s    on slow 3G
Running time: 322 ms   on Snapdragon 410
Total time:   1.8 s
@reown/appkit-scaffold-ui
Size limit:   220 kB
Size:         209.51 kB with all dependencies, minified and gzipped
Loading time: 4.1 s     on slow 3G
Running time: 537 ms    on Snapdragon 410
Total time:   4.7 s
@reown/appkit-ui
Size limit:   500 kB
Size:         13.15 kB with all dependencies, minified and gzipped
Loading time: 257 ms   on slow 3G
Running time: 41 ms    on Snapdragon 410
Total time:   297 ms

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	79.77%	38423 / 48162
🔵	Statements	79.77%	38423 / 48162
🔵	Functions	77.25%	4113 / 5324
🔵	Branches	86.46%	9323 / 10782

File Coverage

No changed files found.

Generated in workflow #16504 for commit d7ee1f5 by the Vitest Coverage Report Action

[devin-ai-integration]

Two Playwright shards are failing with timeout errors in Firefox-specific e2e tests:

1. Shard 4: siwx-email-it-should-disconnect-Desktop-Firefox-solana - "Connect button should be present with timeout 30000ms"
2. Shard 1: smart-account-it-should-use-a-smart-account-Desktop-Firefox-ethers - "Timed out 60000ms waiting for expect(locator).toBeVisible()"

Both failures involve email login flows with external services (Magic Link, WalletConnect verify). The logs show "User rejected" and "Request was aborted" errors, which suggest timing issues with external authentication services rather than a regression from the Next.js patch.

All other checks pass:

• Code style (lint, typecheck, prettier)
• Unit tests
• Build and bundle size
• 8/10 Playwright shards
• All Vercel deployments

These appear to be pre-existing flaky tests. Would you like me to re-run the failed jobs, or should we merge with these known flaky tests?