Upgrade Next.js from 16.2.2 to 16.2.3 (CVE-2026-23869)

[cjbell]

Description

Upgrades Next.js from 16.2.2 to 16.2.3 to address CVE-2026-23869, a vulnerability affecting React Server Components packages and frameworks using the App Router (Next.js 13.x, 14.x, 15.x, 16.x).

Changes:

• Updated next dependency in package.json from ^16.2.2 to ^16.2.3
• Updated yarn.lock with resolved 16.2.3 packages

The production build passes with no issues.

Linear Issue: KNO-12610

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Canceled		Apr 10, 2026 8:47pm

[cursor]

Risk HIGH: Upgrades Next.js from 16.2.2 to 16.2.3 to address CVE-2026-23869, a security vulnerability in React Server Components.

Reasons

• package.json is modified (HIGH trigger per classification rules)
• yarn.lock is modified with 85 additions and 60 deletions (HIGH trigger)
• The change is a patch version bump (16.2.2 → 16.2.3) for a single dependency
• Only 3 files changed (next-env.d.ts, package.json, yarn.lock), all related to the version bump
• The PR addresses a specific CVE (CVE-2026-23869), which is a valid security motivation

Notes

• Despite the HIGH classification (triggered by package.json + yarn.lock changes), the actual risk surface is narrow: this is a single patch-level dependency bump with no application code changes.
• Verify the Vercel preview deployment builds and renders correctly.
• Confirm no regressions in routing, server components, or MDX rendering after the Next.js patch update.
• The yarn.lock diff is mechanical and expected for a version bump — focus review on the package.json change itself.

  

_{Sent by Cursor Automation: Docs PR classifier}