fix: bump next.js from 14.2.35 to 15.0.8 in demo apps

[devin-ai-integration]

Description

Bumps next from 14.2.35 to 15.0.8 in the three demo apps to resolve Dependabot high-severity alerts #423, #426, #429, #431 for CVE "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components".

Apps updated:

• apps/auth/nextjs-ssr
• apps/payments/nextjs
• apps/wallets/smart-wallet/next

These are private demo apps only — no published packages are affected and no changeset is needed.

⚠️ Reviewer note: This is a major version bump (14 → 15). Next.js 15 includes breaking changes (async request APIs, caching defaults, etc.). The demo app source code was not modified in this PR, so if any app code relies on changed Next.js APIs, it will surface as a build failure in CI. Please verify CI build results carefully.

Test plan

• pnpm install completed successfully, lockfile updated with expected transitive dependency changes
• pnpm lint (Biome) passed with no errors
• CI build will validate that the demo apps compile against Next.js 15

Package updates

• next: 14.2.35 → 15.0.8 in 3 demo apps (private, no changeset required)

---

Link to Devin run: https://crossmint.devinenterprise.com/sessions/b2403121093748faab2d6d11b5c38758
Requested by: unknown ()

[devin-ai-integration]

Original prompt from API User

Fix Dependabot high-severity alerts for next.js 14.x in the Crossmint/crossmint-sdk repository.

Context: There are 3 apps using [email protected] that need to be bumped to [email protected] (the first patched version) to resolve CVE for "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components".

Alerts to resolve: #423, #426, #429, #431

Apps to update:
- apps/auth/nextjs-ssr/package.json: next 14.2.35 → 15.0.8
- apps/payments/nextjs/package.json: next 14.2.35 → 15.0.8
- apps/wallets/smart-wallet/next/package.json: next 14.2.35 → 15.0.8

Steps:
1. Clone the repo: git clone https://github.com/Crossmint/crossmint-sdk.git
2. Create branch: git checkout -b devin/fix-next14-dependabot-alerts
3. In each of the 3 package.json files, update the "next" dependency from "14.2.35" to "15.0.8"
4. Run: pnpm install (to update the lockfile)
5. Run: pnpm lint (to check for lint errors)
6. Commit and push
7. Create a PR titled "fix: bump next.js from 14.2.35 to 15.0.8 in demo apps" targeting main branch

IMPORTANT:
- These are demo apps (in apps/ directory), NOT published packages, so NO changeset is needed.
- Only modify the 3 package.json files listed above and the pnpm-lock.yaml.
- Do NOT modify any files in packages/ directory.
- Do NOT add pnpm overrides to the root package.json.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

⚠️ No Changeset found

Latest commit: 472bb50

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (2)

apps/auth/nextjs-ssr/package.json
Next 15 requires newer Node

[email protected] declares engines: { node: ^18.18.0 || ^19.8.0 || >=20 } (see pnpm-lock.yaml entry), but this demo app doesn’t pin an engines.node version in package.json. If the repo/CI still runs Node 18.17.x (valid for Next 14 but not Next 15), installs/builds will fail with an engines mismatch. Please add an explicit "engines": { "node": ">=18.18.0" } (or align to whatever CI uses) to each bumped demo app (or ensure CI Node is updated accordingly).

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/auth/nextjs-ssr/package.json
Line: 1:3

Comment:
**Next 15 requires newer Node**

`[email protected]` declares `engines: { node: ^18.18.0 || ^19.8.0 || >=20 }` (see `pnpm-lock.yaml` entry), but this demo app doesn’t pin an `engines.node` version in `package.json`. If the repo/CI still runs Node 18.17.x (valid for Next 14 but not Next 15), installs/builds will fail with an engines mismatch. Please add an explicit `"engines": { "node": ">=18.18.0" }` (or align to whatever CI uses) to each bumped demo app (or ensure CI Node is updated accordingly).

How can I resolve this? If you propose a fix, please make it concise.

---

apps/payments/nextjs/package.json
Next lint config mismatch

This app still pins eslint-config-next to 13.4.19 while upgrading next to 15.0.8. next lint uses Next’s lint integration and expects a compatible eslint-config-next/ESLint plugin set; keeping a v13 config with Next 15 commonly breaks lint/build (rule/options drift). Bump eslint-config-next to a version compatible with Next 15 (or remove the explicit pin and let it follow Next) to avoid CI failures.

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/payments/nextjs/package.json
Line: 37:42

Comment:
**Next lint config mismatch**

This app still pins `eslint-config-next` to `13.4.19` while upgrading `next` to `15.0.8`. `next lint` uses Next’s lint integration and expects a compatible `eslint-config-next`/ESLint plugin set; keeping a v13 config with Next 15 commonly breaks lint/build (rule/options drift). Bump `eslint-config-next` to a version compatible with Next 15 (or remove the explicit pin and let it follow Next) to avoid CI failures.

How can I resolve this? If you propose a fix, please make it concise.