fix(security): bump website next to 16.2.6 (5 advisories)

[Sergentval]

Summary

Bumps website/next from ^16.2.4 (lockfile pinned to 16.2.4) to ^16.2.6 to patch the five Next.js advisories disclosed 2026-05-06/07.

Why

Lockfile-resolved next@16.2.4 is in the vulnerable range for all of:

Advisory	Severity	Vector
GHSA-267c-6grr-h53f	HIGH (CVSS 8.6)	Middleware/proxy bypass via segment-prefetch routes — SSRF, internal-service access
GHSA-26hh-7cqf-hhc6	HIGH	Same vector, "Incomplete Fix Follow-Up" — fixed only in 16.2.6
GHSA-ffhc-5mcf-pf4q	MEDIUM	XSS via CSP nonces in App Router
GHSA-gx5p-jg67-6x7h	MEDIUM	XSS via beforeInteractive scripts
GHSA-vfv6-92ff-j949	LOW	RSC cache poisoning via cache-buster collisions

16.2.6 is the smallest bump that covers all five.

The README states the website deploys to Vercel, which means the SSRF (GHSA-267c-6grr-h53f / -26hh-7cqf-hhc6) is already mitigated at the platform layer. The XSS and cache-poisoning advisories still apply to Vercel-hosted apps, so the bump is meaningful regardless.

Changes

• website/package.json — next: ^16.2.4 → ^16.2.6
• website/package-lock.json — regenerated via npm install --package-lock-only. Resolved version: 16.2.6.

Test plan

• cd website && npm install && npm run build — verify clean build with new dependency tree
• Smoke npm run dev and confirm the site renders
• (Optional) npm audit should report 0 high/critical

Summary by CodeRabbit

• Chores
  • Updated Next.js framework to the latest patch version for improved stability and compatibility.

[vercel]

@Sergentval is attempting to deploy a commit to the rohitg00's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

The next dependency in website/package.json is updated from ^16.2.4 to ^16.2.6.

Changes

Next.js Version Bump

Layer / File(s)	Summary
Next.js dependency update website/package.json	The next package version is bumped from ^16.2.4 to ^16.2.6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Possibly related PRs

• rohitg00/agentmemory#348: Updates the same next dependency to ^16.2.6 in website/package.json.

Poem

🐰 A patch so small, yet neat and clean,
Sixteen-point-two-point-six now seen,
Next.js hops along with glee,
Dependency bumps, as light as can be! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: bumping the Next.js dependency to address five security advisories. It clearly identifies the package, version change, and primary motivation (security fixes).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch chore/security/website-next-16.2.6

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

website/package.json (1)

15-15: Next.js 16.2.6 security update confirmed and compatible. The release (May 7, 2026) addresses critical vulnerabilities including the listed advisories and is fully compatible with React 19.2.5. For complete mitigation of React Server Components vulnerabilities, consider also updating React to 19.2.6 per the official security advisory.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@website/package.json` at line 15, The package.json currently pins "next":
"^16.2.6" (safe) but the advisory recommends also updating React; update the
react and react-dom entries in package.json to "^19.2.6" (matching the Next.js
compatibility note), then regenerate the lockfile (run npm/yarn install) and run
the app/tests to ensure no breakage; check the dependencies "next", "react", and
"react-dom" in package.json and verify the lockfile changes and CI pass.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@website/package.json`:
- Line 15: The package.json currently pins "next": "^16.2.6" (safe) but the
advisory recommends also updating React; update the react and react-dom entries
in package.json to "^19.2.6" (matching the Next.js compatibility note), then
regenerate the lockfile (run npm/yarn install) and run the app/tests to ensure
no breakage; check the dependencies "next", "react", and "react-dom" in
package.json and verify the lockfile changes and CI pass.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0eb3586d-9e2e-4dde-a5a2-54a5afce1160

📥 Commits

Reviewing files that changed from the base of the PR and between 471cc21 and a643e3d.

⛔ Files ignored due to path filters (1)

• website/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• website/package.json