fix: bump next.js from 15.3.8 to 15.3.9 in quickstart-devkit

[devin-ai-integration]

Description

Bumps next from 15.3.8 to 15.3.9 in apps/wallets/quickstart-devkit to resolve Dependabot high-severity alerts #418 and #419 for CVE: "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components".

Only the demo app's package.json and the root pnpm-lock.yaml are modified. No published packages are affected.

Test plan

• Lint passes (pnpm lint)
• CI should confirm no regressions

Package updates

• next: 15.3.8 → 15.3.9 (patch, demo app only — no changeset needed)

---

Link to Devin run: https://crossmint.devinenterprise.com/sessions/7dc12e4dd2ef455299e32521108d7a93
Requested by: unknown ()

[devin-ai-integration]

Original prompt from API User

Fix Dependabot high-severity alert for next.js 15.3.x in the Crossmint/crossmint-sdk repository.

Context: The app apps/wallets/quickstart-devkit uses next@15.3.8 which needs to be bumped to next@15.3.9 to resolve CVE for "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components".

Alerts to resolve: #418, #419

Steps:
1. Clone the repo: git clone https://github.com/Crossmint/crossmint-sdk.git
2. Create branch: git checkout -b devin/fix-next15-dependabot-alert
3. In apps/wallets/quickstart-devkit/package.json, update the "next" dependency from "15.3.8" to "15.3.9"
4. Run: pnpm install (to update the lockfile)
5. Run: pnpm lint (to check for lint errors). If lint fails, run pnpm lint:fix to auto-fix formatting.
6. Commit and push
7. Create a PR titled "fix: bump next.js from 15.3.8 to 15.3.9 in quickstart-devkit" targeting main branch

IMPORTANT:
- This is a demo app (in apps/ directory), NOT a published package, so NO changeset is needed.
- Only modify apps/wallets/quickstart-devkit/package.json and the pnpm-lock.yaml.
- Do NOT modify any files in packages/ directory.
- Do NOT add pnpm overrides to the root package.json.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

⚠️ No Changeset found

Latest commit: a82248b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[github-actions]

🔥 Smoke Test Results

✅ Status: Passed

Statistics

• Total Tests: 5
• Passed: 5 ✅
• Failed: 0
• Skipped: 0
• Duration: 4.94 min

✅ All smoke tests passed!

All critical flows are working correctly.

---

This is a non-blocking smoke test. Full regression tests run separately.