chore(deps): bump next to 16.2.5 for CVE-2026-44578 SSRF fix

[waleedlatif1]

Summary

• Bump Next.js from 16.2.4 → 16.2.5 across root, apps/sim, apps/docs
• Patches CVE-2026-44578 (WebSocket upgrade SSRF, CVSS 8.6) + 11 other CVEs in the 16.2.5 release
• Self-hosted Sim was in scope of the advisory

Type of Change

• Bug fix

Testing

Tested manually — bun install resolves cleanly, lockfile updated

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 14, 2026 9:34pm

[cursor]

PR Summary

Medium Risk
Updates the core Next.js runtime across multiple apps; while this is a patch release (primarily security fixes), framework upgrades can still introduce build/runtime regressions.

Overview
Upgrades Next.js from 16.2.4 to 16.2.6 in apps/sim, apps/docs, and the root package.json overrides, aligning @next/env to the same version.

Updates bun.lock accordingly, including the pinned next/@next/* SWC binaries to 16.2.6.

^{Reviewed by Cursor Bugbot for commit 9982135. Configure here.}

[greptile-apps]

Greptile Summary

Bumps Next.js from 16.2.4 to 16.2.6 (not 16.2.5 as the title states) across apps/sim, apps/docs, the root workspace, and bun.lock to remediate CVE-2026-44578 (WebSocket upgrade SSRF, CVSS 8.6) and the broader May 2026 Next.js security advisory.

• next and @next/env overrides are updated to 16.2.6 in all three package.json files, and all 8 platform-specific @next/swc-* binaries in bun.lock are updated with matching integrity hashes.
• The PR title and description still reference 16.2.5; the actual shipped version is 16.2.6 following the in-flight review update — these should be corrected for audit traceability.

Confidence Score: 5/5

Safe to merge — the change is a targeted version bump with no logic changes and all package manifests and the lockfile are consistent.

All four changed files make the same mechanical substitution (16.2.4 → 16.2.6). The lockfile is internally consistent: next, @next/env, and every platform binary are at the same version with fresh integrity hashes. No application logic is touched.

No files require special attention. The only note is the stale PR title/description referencing 16.2.5 rather than the actual 16.2.6 that was shipped.

Important Files Changed

Filename	Overview
package.json	Root workspace overrides for next and @next/env correctly bumped from 16.2.4 → 16.2.6
apps/sim/package.json	next dependency and next/@next/env overrides all consistently updated to 16.2.6
apps/docs/package.json	next pinned version bumped from 16.2.4 → 16.2.6; no local overrides needed as root handles them
bun.lock	Lockfile consistently updated: next, @next/env, and all 8 platform-specific @next/swc-* binaries bumped to 16.2.6 with new integrity hashes

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["CVE-2026-44578\n(WebSocket SSRF, CVSS 8.6)\n+ May 2026 Next.js Advisory"] --> B["Bump next 16.2.4 → 16.2.6"]
    B --> C["package.json\n(root overrides)"]
    B --> D["apps/sim/package.json\n(dep + overrides)"]
    B --> E["apps/docs/package.json\n(dep)"]
    C --> F["bun.lock\nnext@16.2.6\n@next/env@16.2.6\n8× @next/swc-* binaries"]
    D --> F
    E --> F

Loading

_{Reviews (2): Last reviewed commit: "chore(deps): bump next to 16.2.6 for ful..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 9982135. Configure here.}