chore(deps): bump next to 16.2.6

[charlesrhoward]

Summary

Patches the May 2026 Next.js security release (13 CVEs: middleware bypass, RSC DoS, SSRF via WebSocket upgrades, RSC cache poisoning, XSS in App Router CSP nonces, etc.). Affected: <= 16.2.5 on the 16.x line.

Release notes: https://vercel.com/changelog/next-js-may-2026-security-release

Files touched

• package.json — next 16.2.4 → 16.2.6, eslint-config-next 16.2.4 → 16.2.6
• pnpm-lock.yaml — regenerated

Test plan

• pnpm install
• pnpm lint
• pnpm types:check
• pnpm build

🤖 Generated with Claude Code

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mogplex-docs	Ready	Preview, Comment	May 15, 2026 9:18pm

[mogplex]

Mogplex PR Review

Status: No material issues found

Summary

Clean, minimal security patch bump. next and eslint-config-next are both consistently updated from 16.2.4 → 16.2.6 in package.json, and the lockfile resolves to the new version uniformly across all peer-dependency chains (fumadocs-core, fumadocs-mdx, fumadocs-ui, geist). No unrelated packages were touched and no extraneous dependencies were introduced.

The PR description accurately describes the change and the stated test plan (install, lint, type-check, build) is appropriate for a dependency bump of this nature.

Verdict

✅ APPROVE — Straightforward security patch with no issues found. Safe to merge.

Affected files:

• package.json
• pnpm-lock.yaml

View check run