Remove vulnerable Next lock entry

[Finesssee]

Summary

Fixes the stale vulnerable Next.js lockfile exposure for CVE-2026-44578 by forcing Bun's optional peer resolution for next to the patched 15.5.16 line.

package.json does not directly depend on Next.js. The vulnerable next@15.4.4 entry in bun.lock was pulled in by react-scan's optional next >=13.0.0 peer metadata. Regenerating the lockfile without an override kept the vulnerable optional peer, so this adds an explicit Bun override instead of adding Next as an application dependency.

CVE context

CVE-2026-44578 affects the Next.js WebSocket Upgrade handling path and can expose SSRF risk in vulnerable Next.js versions. The affected ranges include:

• 13.4.13+
• 14.x
• 15.x before 15.5.16
• 16.0.0 through 16.2.4

The patched targets are 15.5.16 or 16.2.5. This repo was locking next@15.4.4, which is in the affected 15.x range.

Fix

• Add a Bun overrides.next pin to 15.5.16.
• Regenerate bun.lock with the repo-declared Bun 1.3.2.
• Remove the stale next@15.4.4 package entry and its Next-only dependency closure from the lockfile.

After this change, no installed vulnerable Next.js package remains; react-scan still records next as an optional peer only.

Validation

• bunx bun@1.3.2 install --frozen-lockfile
  • Completed successfully. The repo's simple-git-hooks prepare script printed a worktree-local .git/hooks ENOTDIR warning because this checkout uses a Git worktree .git file, but Bun exited 0 and accepted the frozen lockfile.
• rg -n 'next@15\.4\.4|@next/(env|swc)|"next": \["next@' package.json bun.lock
  • No matches.
• find node_modules -path '*/next/package.json' -print -quit
  • No installed Next package found.
• bunx bun@1.3.2 typecheck
• bunx bun@1.3.2 check:frontend
  • Passed with existing lint warnings in unrelated files: reorderable-item-strip.tsx, ai-settings.tsx, web-viewer-url.ts, and ai-provider-interface.ts.