[CD-1226] Remediate starter app package vulnerabilities

[andrazk]

Summary

Remediates the GitHub Dependabot medium Next.js findings for CaseMark/casedotdev-starter-app by updating:

• next to 16.2.6
• eslint-config-next to 16.2.6

Vanta

https://app.vanta.com/c/casemark/tests/packages-checked-for-vulnerabilities-v2-records-closed-github-dependabot-medium

Validation

• bun install --frozen-lockfile
• Targeted bun audit --json check for next returned {}
• bun run build passed

Note: full bun audit still reports unrelated advisories outside this PR scope.

[thurgood-bot]

DB Cooper Database Review

No database-related code, schema, or migration changes detected in this PR; dependency bumps only. No DB risk identified.

No database risks found. Migrations and DB-impacting changes look safe.

---

DB review by DB Cooper | Re-run with /dbreview

[thurgood-bot]

Oppenheimer Cleanup Review

No production code changes in this PR; it is a dependency upgrade only. The only potential simplification is lockfile pruning, but it cannot be proven safe without validation of Bun’s resolution rules.

⚠️ Risk If Removed (1)

Removing these items could have subtle side effects. Review the documented risks before proceeding.

• bun.lock:1361: The lockfile now includes an extra alias entry browserslist/baseline-browser-mapping alongside the top-level baseline-browser-mapping. Repo-wide search shows only these lockfile entries; no source references. This may be a Bun lockfile artifact, but removing it could change dependency resolution or integrity.

  Keep as-is unless you can regenerate bun.lock with the same Bun version and confirm the alias entry is unnecessary via bun install --frozen-lockfile and a clean diff.

---

Cleanup review by Oppenheimer | Re-run with /cleanup

[thurgood-bot]

Judicial Review

Dependency bump for Next.js and eslint-config-next to remediate reported vulnerabilities; no code-path or configuration changes observed.

No significant issues found. This code is cleared to ship.

---

Legal-Grade review by Thurgood | Re-review with /review

[thurgood-bot]

WARNING: The lockfile now includes an extra alias entry browserslist/baseline-browser-mapping alongside the top-level baseline-browser-mapping. Repo-wide search shows only these lockfile entries; no source references. This may be a Bun lockfile artifact, but removing it could change dependency resolution or integrity.

Suggestion: Keep as-is unless you can regenerate bun.lock with the same Bun version and confirm the alias entry is unnecessary via bun install --frozen-lockfile and a clean diff.