fix: resolve Dependency Security Vulnerabilities Detected

[RitvikaSavanna]

Addressed Issues:

Fixes #719

Screenshots/Recordings:

Before:

npm audit showed 41 vulnerabilities (4 low, 14 moderate, 21 high, 2 critical)

After:

npm audit shows 21 vulnerabilities (3 low, 8 moderate, 10 high, 0 critical)
All remaining vulnerabilities have no fix available upstream.

Additional Notes:

Upgraded Next.js from v9.5.5 to latest and ESLint to latest
to resolve the majority of security vulnerabilities.

21 vulnerabilities remain with no upstream fix available:

• cross-spawn (ReDoS) - no fix released
• got (UNIX socket redirect) - no fix released
• parse-git-config (prototype pollution) - no fix released
• prismjs (DOM clobbering) - no fix released
• tmp (symlink write) - no fix released
• postcss (XSS) - fix would downgrade Next.js, not recommended

All remaining issues are in dev dependencies only and
do not impact production users.

AI Usage Disclosure:

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact. AI slop is strongly discouraged and may lead to banning and blocking. Do not spam our repos with AI slop.

Check one of the checkboxes below:

• [x ] This PR does not contain AI-generated code at all.
• This PR contains AI-generated code. I have read the AI Usage Policy and this PR complies with this policy. I have tested the code locally and I am responsible for it.

I have used the following AI models and tools: TODO

Checklist

• [x ] My PR addresses a single issue, fixes a single bug or makes a single improvement.
• [] My code follows the project's code style and conventions
• If applicable, I have made corresponding changes or additions to the documentation
• If applicable, I have made corresponding changes or additions to tests
• [ x] My changes generate no new warnings or errors
• [ x] I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contribution Guidelines
• [x ] Once I submit my PR, CodeRabbit AI will automatically review it and I will address CodeRabbit's comments.
• [x ] I have filled this PR template completely and carefully, and I understand that my PR may be closed without review otherwise.

Summary by CodeRabbit

Release Notes

• Chores
  • Updated Next.js framework to the latest version for improved stability and performance
  • Updated development tooling dependencies including ESLint for better code quality

[coderabbitai]

📝 Walkthrough

Walkthrough

Dependency versions are updated to address security vulnerabilities: Next.js and eslint-config-next advance from v14 to v16, and ESLint upgrades from v8 to v10 to align with the Next.js configuration tooling.

Changes

Dependency Updates for Security

Layer / File(s)	Summary
Runtime Dependency package.json	next updated from ^14.1.3 to ^16.2.4 to resolve upstream security vulnerabilities.
Tooling Dependencies package.json	eslint-config-next updated from ^14.1.3 to ^16.2.4 and eslint updated from 8.26.0 to ^10.3.0 to address security issues and maintain compatibility.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hop, hop—the versions leap with speed,
From fourteen's nest to sixteen's creed,
ESLint too, in ten's new light,
Security vulnerabilities take flight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main objective of the PR: resolving dependency security vulnerabilities through package upgrades.
Linked Issues check	✅ Passed	The PR successfully addresses issue #719 by upgrading Next.js and ESLint to resolve security vulnerabilities, reducing critical vulnerabilities from 2 to 0 and total vulnerabilities from 41 to 21.
Out of Scope Changes check	✅ Passed	All changes in package.json are directly related to addressing the security vulnerabilities identified in issue #719; no unrelated modifications were introduced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

39-39: Consider upgrading @next/mdx to ^16.2.4 for ecosystem consistency (optional).

While next@^16.2.4 is compatible with react@^18.2.0 (confirmed in peer dependencies), keeping @next/mdx at ^14.1.3 creates a version skew. Since @next/mdx doesn't enforce a specific next major version, this won't cause peer dependency resolution errors, but aligning it to 16.2.4 would improve consistency across the Next.js ecosystem. The ESLint upgrade to ^10.3.0 is compatible with eslint-config-next@^16.2.4.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 39, Update the `@next/mdx` dependency in package.json
from "^14.1.3" to "^16.2.4" to align with the installed next version ("next":
"^16.2.4"); edit the "@next/mdx" entry, run your package manager (npm/yarn/pnpm
install) to refresh lockfiles, and rebuild/test the app (e.g., dev server and
lint) to ensure no regressions; this targets the "@next/mdx" dependency in
package.json and standard install/build commands.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Line 39: Update the `@next/mdx` dependency in package.json from "^14.1.3" to
"^16.2.4" to align with the installed next version ("next": "^16.2.4"); edit the
"@next/mdx" entry, run your package manager (npm/yarn/pnpm install) to refresh
lockfiles, and rebuild/test the app (e.g., dev server and lint) to ensure no
regressions; this targets the "@next/mdx" dependency in package.json and
standard install/build commands.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 15b571a0-1223-428f-9f19-495ba4eaeaab

📥 Commits

Reviewing files that changed from the base of the PR and between bb70285 and 2e6fa77.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json