From 9ea98aa99ea0b3e08a6b5016d763699bda9bae35 Mon Sep 17 00:00:00 2001
From: Tom Pinder <tom@startvest.ai>
Date: Thu, 14 May 2026 22:56:41 -0400
Subject: [PATCH] chore: bump Next.js + React for May 2026 security release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

next 16.2.4 → 16.2.6
react 19.2.3 → 19.2.6
react-dom 19.2.3 → 19.2.6

Patches Next.js + React May 2026 security release (10 GHSAs + CVE-2026-23870).
No middleware.ts and no next/image usage in this repo, so structural exposure
to the bypass/image-DoS advisories was already nil; bump is hygiene.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 package.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index 58ed391..c40103f 100644
--- a/package.json
+++ b/package.json
@@ -11,10 +11,10 @@
   "dependencies": {
     "matter-js": "^0.20.0",
     "microsoft-cognitiveservices-speech-sdk": "^1.47.0",
-    "next": "^16.2.4",
+    "next": "^16.2.6",
     "pixi.js": "^8.14.3",
-    "react": "19.2.3",
-    "react-dom": "19.2.3",
+    "react": "19.2.6",
+    "react-dom": "19.2.6",
     "zustand": "^5.0.9"
   },
   "devDependencies": {