fix: upgrade Next.js to patch CVE-2026-23864

[devin-ai-integration]

Summary

Upgrades Next.js across 7 applications to address CVE-2026-23864, a high-severity (CVSS 7.5) denial of service vulnerability in React Server Components. The vulnerability allows attackers to trigger DoS by sending specially crafted HTTP requests to Server Function endpoints.

Patch upgrades (low risk):

• pos-dapp: 15.5.9 → 15.5.10
• react-dapp-v2-cosmos-provider: 15.4.10 → 15.4.11
• react-wallet-v2: 15.5.9 → 15.5.10

Major version upgrades (higher risk):

• chain-abstraction-demo: 14.2.35 → 15.5.10
• react-dapp-v2: 14.2.35 → 15.5.10
• react-dapp-v2-with-ethers: 14.2.35 → 15.5.10
• smart-sessions-demo: 14.2.35 → 15.5.10

Note: No patch exists for Next.js 14.x, requiring major version upgrades for affected apps.

Reference: https://vercel.com/changelog/summary-of-cve-2026-23864

Review & Testing Checklist for Human

• Verify lockfiles are updated - The diff shows package.json changes but lockfiles may need regeneration (npm install or pnpm install in each affected directory)
• Test major-upgraded apps build successfully - Focus on chain-abstraction-demo, react-dapp-v2, react-dapp-v2-with-ethers, and smart-sessions-demo
• Check for React 18/19 compatibility issues - Several apps use React 18.x while Next.js 15 targets React 19; watch for runtime errors
• Verify App Router behavior - Next.js 15 changed caching defaults (fetch caching is now opt-in)
• Spot-check one major-upgraded app runs locally - Run npm run dev and verify basic functionality

Recommended test plan: Pick one of the major-upgraded apps (e.g., react-dapp-v2) and verify it builds, starts, and can connect to a wallet without errors.

Notes

This is part of a broader CVE patching effort across multiple Reown repositories. The 14.x → 15.x upgrades carry inherent risk due to Next.js breaking changes, but are necessary as no 14.x patch exists for this vulnerability.

Link to Devin run: https://app.devin.ai/sessions/0d31181cde324dcca189973513849b0e
Requested by: Ben Kremer (@bkrem)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
chain-abstraction-demo	Ready	Preview, Comment	Jan 27, 2026 1:16pm
decentralized-relay-app	Error		Jan 27, 2026 1:16pm
decentralized-relay-wallet	Error		Jan 27, 2026 1:16pm
malicious-dapp-verify-simulation	Error		Jan 27, 2026 1:16pm
pos-dapp	Ready	Preview, Comment	Jan 27, 2026 1:16pm
react-dapp-v2	Error		Jan 27, 2026 1:16pm
react-dapp-v2-cosmos-provider	Error		Jan 27, 2026 1:16pm
react-dapp-v2-with-ethers	Error		Jan 27, 2026 1:16pm
react-wallet-v2	Error	Comment	Jan 27, 2026 1:16pm
smart-sessions-demo	Error		Jan 27, 2026 1:16pm
wallet-pay-dapp	Error		Jan 27, 2026 1:16pm

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
appkit-react-wagmi-example	Ignored		Jan 27, 2026 1:16pm
appkit-solana	Ignored		Jan 27, 2026 1:16pm