build(deps): bump next from 16.2.2 to 16.2.3 in the npm_security group across 1 directory

[dependabot]

Bumps the npm_security group with 1 update in the / directory: next.

Updates next from 16.2.2 to 16.2.3

Release notes

Sourced from next's releases.

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

Commits

• d5f649b v16.2.3
• 2873928 [16.x] Avoid consuming cyclic models multiple times (#75)
• d7c7765 [backport]: Ensure app-page reports stale ISR revalidation errors via onReque...
• c573e8c fix(server-hmr): metadata routes overwrite page runtime HMR handler (#92273)
• 57b8f65 next-core: deduplicate output assets and detect content conflicts on emit (#9...
• f158df1 Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• 356d605 turbo-tasks-backend: stability fixes for task cancellation and error handling...
• 3b77a6e Fix DashMap read-write self-deadlock in task_cache causing hangs (#92210)
• b2f208a Backport: new view-transitions guide, update and fixes (#92264)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Updated framework dependency to the latest patch version for stability and performance improvements.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the next dependency from version ^16.2.2 to ^16.2.3 in package.json. This is a patch-level version bump with no other configuration changes.

Changes

Cohort / File(s)	Summary
Dependency Update package.json	Bumped next dependency version from ^16.2.2 to ^16.2.3 (patch release).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping the Next.js dependency from 16.2.2 to 16.2.3, which is the sole modification in this changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/npm_security-ad77747e51

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 28: package.json declares "next": "^16.2.3" but still pins
"eslint-config-next" at "^16.2.2", causing a mismatch and leaving CVE-2026-23869
unaddressed; update the "eslint-config-next" dependency to "^16.2.3" so it
matches the Next.js release series (modify the "eslint-config-next" entry in
package.json), then run your lockfile update (npm/yarn/pnpm install) and verify
tests/linters succeed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 98a18d5f-7b95-481f-965a-dc5853d61315

📥 Commits

Reviewing files that changed from the base of the PR and between 06e7723 and c52f1a8.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What is CVE-2026-23869 and which Next.js versions does it affect?

💡 Result:

CVE-2026-23869 is a high-severity (CVSS 7.5) denial-of-service vulnerability in React Server Components. A specially crafted HTTP request sent to App Router Server Function endpoints can trigger excessive CPU usage during deserialization, leading to DoS in unpatched environments. It originates in React packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack (versions 19.0.0-19.0.4, 19.1.0-19.1.5, 19.2.0-19.2.4). Next.js versions affected (using App Router): 13.x, 14.x, 15.x (15.0.0 to <15.5.15), 16.x (16.0.0 to <16.2.3). Upgrade to patched versions: Next.js 15.5.15+, 16.2.3+. Note: Next.js 13.x and 14.x are EOL with no patches planned.

Citations:

• 1: https://vercel.com/changelog/summary-of-cve-2026-23869
• 2: https://nvd.nist.gov/vuln/detail/CVE-2026-23869
• 3: https://www.fastly.com/blog/what-is-cve-2026-23869-react-server-components-security-alert
• 4: https://www.netlify.com/changelog/2026-04-08-react-nextjs-dos-vulnerability/

---

🌐 Web query:

What is the latest version of eslint-config-next package for Next.js 16.2.3?

💡 Result:

The latest version of the eslint-config-next package is 16.2.3, which matches Next.js 16.2.3 and was published 2 days ago (as of 2026-04-10). This package versions in lockstep with Next.js core releases, so for Next.js 16.2.3, use eslint-config-next@16.2.3. The 'latest' tag on npm is currently 16.2.1, but the specific version 16.2.3 is available and appropriate.

Citations:

• 1: https://www.npmjs.com/package/eslint-config-next
• 2: https://www.npmjs.com/package/eslint-config-next?activeTab=versions
• 3: https://github.com/vercel/next.js/releases/latest
• 4: https://github.com/vercel/next.js/releases/tag/v16.2.3

---

Update eslint-config-next to match Next.js 16.2.3.

CVE-2026-23869 (CVSS 7.5) is a high-severity DoS vulnerability in React Server Components affecting Next.js 16.0.0 to <16.2.3. The upgrade to 16.2.3 on line 28 is essential. However, eslint-config-next on line 41 remains at ^16.2.2. Since version 16.2.3 is now available and these packages are released in lockstep, update eslint-config-next to ^16.2.3:

Suggested fix

-    "eslint-config-next": "^16.2.2",
+    "eslint-config-next": "^16.2.3",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 28, package.json declares "next": "^16.2.3" but still
pins "eslint-config-next" at "^16.2.2", causing a mismatch and leaving
CVE-2026-23869 unaddressed; update the "eslint-config-next" dependency to
"^16.2.3" so it matches the Next.js release series (modify the
"eslint-config-next" entry in package.json), then run your lockfile update
(npm/yarn/pnpm install) and verify tests/linters succeed.