chore(deps): Bump next from 16.1.6 to 16.2.6

[dependabot]

Bumps next from 16.1.6 to 16.2.6.

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
coding-drills	Ready	Preview, Comment	May 12, 2026 8:13am

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

Upgrades Next.js from 16.1.6 to 16.2.6 across all package manifests with full transitive dependency updates.

• package.json: Direct next version bumped to 16.2.6
• package-lock.json / pnpm-lock.yaml: All @next/* packages (env, swc-darwin-arm64/x64, swc-linux-, swc-win32-) updated to 16.2.6
• baseline-browser-mapping bumped to 2.10.29; CLI entry renamed from dist/cli.js to dist/cli.cjs; Node.js engine requirement added
• sharp optional dependency constraint updated to ^0.34.5
• Transitive bumps: @babel/code-frame, @babel/runtime, @emnapi/runtime, @img/colour, caniuse-lite, nanoid, semver
• Peer dependency resolution strings updated for nuqs, @storybook/nextjs-vite, and vite-plugin-storybook-nextjs

---

Confidence Score: 5/5 - Safe to Merge

Safe to merge — this is a routine dependency bump of Next.js from 16.1.6 to 16.2.6 with no logic changes introduced by the PR authors. The lockfile updates are consistent with the direct dependency version change, and the transitive updates to @next/* SWC binaries, baseline-browser-mapping, and the sharp optional dependency constraint are all expected artifacts of a minor version upgrade. No review comments were generated and no pre-existing unresolved concerns are flagged against this PR.

Key Findings:

• All changed files are limited to package.json, package-lock.json, and pnpm-lock.yaml — no application source code was modified, eliminating any risk of logic or runtime regressions introduced by this PR.
• The baseline-browser-mapping CLI entry rename from dist/cli.js to dist/cli.cjs is a transitive dependency change; as long as no project scripts directly invoke that binary path (which would be unusual for an app-level dependency), this is a non-breaking internal change.
• The sharp optional dependency constraint update is correctly scoped as optional, meaning build environments without native bindings will not break — this is consistent with Next.js image optimization handling.
• No heuristic analysis flagged any critical, significant, or medium-severity issues across the reviewed files, and all changed files were covered by the automated review.

Files requiring special attention

• package.json
• package-lock.json