chore(deps): bump next to 16.2.6 (security patch)

[teallarson]

Summary

• Bumps next from 16.1.7 → 16.2.6
• Bumps @next/third-parties from 16.1.7 → 16.2.6

Patches all 13 security advisories from the Next.js v15.5.18 / v16.2.6 security release:

Severity	Advisory	Summary
High	GHSA-8h8q-6873-q5fj	DoS with Server Components
High	GHSA-267c-6grr-h53f	Middleware bypass via segment-prefetch routes
High	GHSA-26hh-7cqf-hhc6	Middleware bypass via segment-prefetch (incomplete fix follow-up)
High	GHSA-mg66-mrh9-m8jx	DoS via connection exhaustion in Cache Components
High	GHSA-492v-c6pp-mqqv	Middleware bypass via dynamic route parameter injection
High	GHSA-c4j6-fc7j-m34r	SSRF via WebSocket upgrades
High	GHSA-36qx-fr4f-26g5	Middleware bypass in Pages Router i18n
Medium	GHSA-ffhc-5mcf-pf4q	XSS via CSP nonces
Medium	GHSA-gx5p-jg67-6x7h	XSS in beforeInteractive scripts
Medium	GHSA-h64f-5h5j-jqjh	DoS in Image Optimization API
Medium	GHSA-wfc6-r584-vfw7	Cache poisoning in RSC responses
Low	GHSA-vfv6-92ff-j949	Cache poisoning via RSC cache-busting collisions
Low	GHSA-3g8h-86w9-wvmq	Middleware redirect cache poisoning

Test plan

• pnpm build passes
• Verify docs site loads correctly in dev (pnpm dev)

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Error		May 8, 2026 2:05am