Fix React Server Components RCE vulnerability (#1331)

A critical remote code execution (RCE) vulnerability in React Server
Components, impacting frameworks such as Next.js, was identified in the
project
[saas-microservices-dashboard](https://vercel.com/now-examples/saas-microservices-dashboard).
The vulnerability enables unauthenticated RCE on the server via insecure
deserialization in the React Flight protocol.

This issue is tracked under:
- GitHub Security Advisory:
[GHSA-9qr9-h5gf-34mp](GHSA-9qr9-h5gf-34mp)
- React Advisory:
[CVE-2025-55182](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- Next.js Advisory:
[CVE-2025-66478](https://nextjs.org/blog/CVE-2025-66478)

This automated pull request upgrades the affected React and Next.js
packages to patched versions that remediate the issue.

[More Info](https://vercel.link/cve-2025-55182-automated-pr)

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>

Author: vercel[bot]

apps/vibe-coding-platform/package.json

@@ -32,7 +32,7 @@
     "jose": "6.0.12",
     "lucide-react": "0.528.0",
     "ms": "2.1.3",
-    "next": "15.5.4",
+    "next": "15.5.7",
     "next-themes": "^0.4.6",
     "nuqs": "2.4.3",
     "react": "19.1.0",

apps/vibe-coding-platform/pnpm-lock.yaml

@@ -11,7 +11,7 @@
   "dependencies": {
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
-    "next": "15.1.4"
+    "next": "15.1.9"
   },
   "devDependencies": {
     "typescript": "^5",

framework-boilerplates/nextjs/package.json

@@ -17,7 +17,7 @@
     "jszip": "^3.10.1",
     "lucide-react": "^0.514.0",
     "monaco-editor": "^0.52.0",
-    "next": "16.0.0-beta.0",
+    "next": "16.0.7",
     "postcss": "^8.5.5",
     "react": "19.2.0",
     "react-dom": "19.2.0",