chore(deps): bump next from 15.5.14 to 15.5.15 in /web/dashboard

[dependabot]

Bumps next from 15.5.14 to 15.5.15.

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

Commits

• 412eb90 v15.5.15
• cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
• fffef9e Fix CI for glibc linux builds
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

PR Review: next 15.5.14 → 15.5.15 (Security Patch)

This is a Dependabot security update and the change is straightforward and correct. Here's my assessment:

Summary

Bumps Next.js from 15.5.14 to 15.5.15 to address CVE-2026-23869, which involves improper handling of cyclic RSC (React Server Component) model payloads. The fix prevents consuming cyclic models multiple times.

Code Quality / Correctness ✅

• package.json: Version constraint updated from ^15.5.14 to ^15.5.15.
• package-lock.json: All affected packages are updated consistently — next, @next/env, and all 8 platform-specific @next/swc-* binaries are pinned to 15.5.15 with fresh integrity hashes. No partial or mismatched versions.

Security ✅

This is a security release (patch-only). The CVE involves cyclic model consumption in RSC streaming, which could lead to unexpected behavior or DoS if a malicious server response contains cyclic references. Patching this promptly is the right call, especially for a trading dashboard that fetches live market data over the wire.

Risk Assessment: Low

• Patch-level bump (no API changes expected).
• Only web/dashboard is affected; the Go backend and web/explainability are untouched.
• Dependabot's compatibility score badge indicates high confidence in the update.

Recommendation

Approve and merge. No concerns — this is a routine security patch with no functional changes. Two optional follow-ups to consider:

• Verify the dashboard still builds cleanly post-merge (cd web/dashboard && npm run build) if CI doesn't already cover this.
• Consider enabling Dependabot auto-merge for patch-level security updates to reduce review lag on future CVEs.