fix: Bump react/next versions to fix security vuln

[dgca]

What changed? Why?

Issue affect React@19. Since we're at 18, we're good here:

~/dev/web$ yarn why react
├─ @app/web@workspace:apps/web
│  └─ react@npm:18.3.1 (via npm:^18.2.0)
│
├─ @base-org/base-web@workspace:.
│  └─ react@npm:18.3.1 (via npm:^18.2.0)
│
└─ base-ui@workspace:libs/base-ui
   └─ react@npm:18.3.1 (via npm:^18.2.0)

Next versions were bumped to the latest minor versions where the security issue was fixed:

~/dev/web$ yarn why next
├─ @app/web@workspace:apps/web
│  └─ next@npm:15.5.7 [b31ab] (via npm:^15.5.7 [b31ab])
│
├─ @base-org/base-web@workspace:.
│  └─ next@npm:15.1.9 [f51bd] (via npm:15.1.9 [f51bd])
│
└─ base-ui@workspace:libs/base-ui
   └─ next@npm:15.1.9 [4654b] (via npm:15.1.9 [4654b])

Notes to reviewers

How has it been tested?

Manually

Have you tested the following pages?

BaseWeb

• base.org
• base.org/names
• base.org/builders
• base.org/ecosystem
• base.org/name/jesse
• base.org/manage-names
• base.org/resources

[cb-heimdall]

✅ Heimdall Review Status

Requirement	Status	More Info
Reviews	✅ 1/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
base-web	Ready	Preview	Comment	Dec 4, 2025 8:51pm