chore(deps): bump next from 16.2.2 to 16.2.3 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: next.

Updates next from 16.2.2 to 16.2.3

Release notes

Sourced from next's releases.

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

Commits

• d5f649b v16.2.3
• 2873928 [16.x] Avoid consuming cyclic models multiple times (#75)
• d7c7765 [backport]: Ensure app-page reports stale ISR revalidation errors via onReque...
• c573e8c fix(server-hmr): metadata routes overwrite page runtime HMR handler (#92273)
• 57b8f65 next-core: deduplicate output assets and detect content conflicts on emit (#9...
• f158df1 Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• 356d605 turbo-tasks-backend: stability fixes for task cancellation and error handling...
• 3b77a6e Fix DashMap read-write self-deadlock in task_cache causing hangs (#92210)
• b2f208a Backport: new view-transitions guide, update and fixes (#92264)
• See full diff in compare view

[github-actions]

Knip Code Analysis

Found 8 total issues

Category	Count
Unused Dependencies	1
Unused Dev Dependencies	3
Unused Exports	4

View details

Run pnpm knip locally to see the full report.

Use pnpm knip:filter pattern to filter results by file path.

---

Use /** @public */ JSDoc tags to mark intentionally exported symbols.

[github-actions]

✅ Security audit passed

Passed (38/38)

• ✅ Auth enforcement on protected routes (per-handler)
• ✅ No dangerous functions (eval, innerHTML, etc.)
• ✅ No hardcoded secrets in source
• ✅ Security headers in next.config.ts
• ✅ Cookie security (httpOnly, sameSite, secure)
• ✅ No sensitive fields in API responses
• ✅ No .env files committed to repo
• ✅ No raw SQL in API routes
• ✅ No fetch/redirect with unvalidated URLs in routes
• ✅ Timing-safe comparison for secret values
• ✅ No raw SQL migration files (schema-first only)
• ✅ External fetch calls have timeouts
• ✅ Docker container runs as non-root user
• ✅ Public routes match proxy allowlist
• ✅ File delete operations have path traversal defense
• ✅ Password hashing uses Argon2 (not SHA-256/bcrypt)
• ✅ Encrypted columns written via encrypt()
• ✅ TOTP 2FA flow integrity
• ✅ Emergency lockdown flow integrity
• ✅ Scrub & delete (nuke) flow integrity
• ✅ Backup restore flow integrity
• ✅ Login flow integrity
• ✅ Auth result checked before proceeding
• ✅ Backup password inputs bounded before key derivation
• ✅ Webhook delivery fetch uses redirect: "error"
• ✅ SESSION_SECRET minimum-length guard in auth/crypto modules
• ✅ Notification URL validators include SSRF protection
• ✅ Dockerfile does not COPY sensitive files
• ✅ No secret env vars in client components
• ✅ Adapter Cookie headers guard against injection
• ✅ Adapter files do not log credential values
• ✅ No console.log in API routes
• ✅ No TODO/FIXME in security-critical files
• ✅ JSON.parse wrapped in try-catch
• ✅ No swallowed errors in catch blocks
• ✅ Request body size validation on upload routes
• ✅ BigInt fields use string serialization
• ✅ No raw error messages in API responses

---

Summary: 38/38 checks passed

See scripts/security-audit.ts for check definitions and SECURITY.md for the full security architecture.

[jordanlambrecht]

@dependabot rebase

[jordanlambrecht]

https://github.com/dependabot rebase