update npm packages to fix a react/next CVE

[ryankshaw]

this updates all our npm deps to the latest versions but is mostly so we can update react and next.js to fix this new CVE (different from the one in december)
https://vercel.com/changelog/summary-of-cve-2026-23864

Summary
Multiple high-severity vulnerabilities in React Server Components were responsibly disclosed. Importantly, these vulnerabilities do not allow for Remote Code Execution.

[Copilot]

Pull request overview

This PR updates npm dependencies to address a React Server Components security vulnerability. The primary changes are updating React from 19.2.3 to 19.2.4, React-DOM from 19.2.3 to 19.2.4, and Next.js from 16.0.10 to 16.1.6 to fix CVE-2025-23864 (noted as CVE-2026-23864 in the PR description, which appears to be a typo).

Changes:

• Updated React and React-DOM to 19.2.4 to address security vulnerability
• Updated Next.js to 16.1.6 to address security vulnerability
• Updated various transitive dependencies including Babel, TypeScript ESLint, and other development tooling packages

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
web/package.json	Updated main dependencies: Next.js (^16.0.10 → ^16.1.6), React (^19.2.3 → ^19.2.4), and React-DOM (^19.2.3 → ^19.2.4)
web/pnpm-lock.yaml	Lockfile updates for all direct and transitive dependencies affected by the main package updates

Files not reviewed (1)

• web/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.