chore(deps): update dependency next to v16.1.7 [security] (#8344)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | [`16.1.6` →
`16.1.7`](https://renovatebot.com/diffs/npm/next/16.1.6/16.1.7) |
![age](https://developer.mend.io/api/mc/badges/age/npm/next/16.1.7?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/16.1.6/16.1.7?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-27977](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36)

## Summary
In `next dev`, cross-site protection for internal websocket endpoints
could treat `Origin: null` as a bypass case even if
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
is configured, allowing privacy-sensitive/opaque contexts (for example
sandboxed documents) to connect unexpectedly.

## Impact
If a dev server is reachable from attacker-controlled content, an
attacker may be able to connect to the HMR websocket channel and
interact with dev websocket traffic. This affects development mode only.
Apps without a configured
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
still allow connections from any origin.

## Patches
Fixed by validating `Origin: null` through the same cross-site
origin-allowance checks used for other origins.

## Workarounds
If upgrade is not immediately possible:
- Do not expose `next dev` to untrusted networks.
- Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is
`null` at your proxy.

####
[CVE-2026-27978](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx)

## Summary
`origin: null` was treated as a "missing" origin during Server Action
CSRF validation. As a result, requests from opaque contexts (such as
sandboxed iframes) could bypass origin verification instead of being
validated as cross-origin requests.

## Impact
An attacker could induce a victim browser to submit Server Actions from
a sandboxed context, potentially executing state-changing actions with
victim credentials (CSRF).

## Patches
Fixed by treating `'null'` as an explicit origin value and enforcing
host/origin checks unless `'null'` is explicitly allowlisted in
`experimental.serverActions.allowedOrigins`.

## Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer `SameSite=Strict` on sensitive auth cookies.
- Do not allow `'null'` in `serverActions.allowedOrigins` unless
intentionally required and additionally protected.

####
[CVE-2026-27979](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq)

## Summary
A request containing the `next-resume: 1` header (corresponding with a
PPR resume request) would buffer request bodies without consistently
enforcing `maxPostponedStateSize` in certain setups. The previous
mitigation protected minimal-mode deployments, but equivalent
non-minimal deployments remained vulnerable to the same unbounded
postponed resume-body buffering behavior.

## Impact
In applications using the App Router with Partial Prerendering
capability enabled (via `experimental.ppr` or `cacheComponents`), an
attacker could send oversized `next-resume` POST payloads that were
buffered without consistent size enforcement in non-minimal deployments,
causing excessive memory usage and potential denial of service.

## Patches
Fixed by enforcing size limits across all postponed-body buffering paths
and erroring when limits are exceeded.

## Workarounds
If upgrade is not immediately possible:
- Block requests containing the `next-resume` header, as this is never
valid to be sent from an untrusted client.

####
[CVE-2026-29057](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8)

## Summary
When Next.js rewrites proxy traffic to an external backend, a crafted
`DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could
trigger request boundary disagreement between the proxy and backend.
This could allow request smuggling through rewritten routes.

## Impact
An attacker could smuggle a second request to unintended backend routes
(for example, internal/admin endpoints), bypassing assumptions that only
the configured rewrite destination/path is reachable. This does not
impact applications hosted on providers that handle rewrites at the CDN
level, such as Vercel.

## Patches
The vulnerability originated in an upstream library vendored by Next.js.
It is fixed by updating that dependency’s behavior so `content-length:
0` is added only when both `content-length` and `transfer-encoding` are
absent, and `transfer-encoding` is no longer removed in that code path.

## Workarounds
If upgrade is not immediately possible:
- Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your
edge/proxy.
- Enforce authentication/authorization on backend routes per our
[security guidance](https://nextjs.org/docs/app/guides/data-security).

---

### Release Notes

<details>
<summary>vercel/next.js (next)</summary>

###
[`v16.1.7`](https://redirect.github.com/vercel/next.js/compare/v16.1.6...v16.1.7)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v16.1.6...v16.1.7)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/UI5/webcomponents-react).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

examples/nextjs-app/package-lock.json

@@ -18,7 +18,7 @@
     "@types/react-dom": "19.2.3",
     "eslint": "9.39.4",
     "eslint-config-next": "16.1.6",
-    "next": "16.1.6",
+    "next": "16.1.7",
     "react": "19.2.4",
     "react-dom": "19.2.4",
     "typescript": "5.9.3"

examples/nextjs-app/package.json

@@ -18,7 +18,7 @@
     "@types/react-dom": "19.2.3",
     "eslint": "9.39.4",
     "eslint-config-next": "16.1.6",
-    "next": "16.1.6",
+    "next": "16.1.7",
     "react": "19.2.4",
     "react-dom": "19.2.4",
     "typescript": "5.9.3"