fix(nextjs): Restore original peer dep ranges for next

The CVE is a DoS vulnerability unrelated to auth — peer deps should
express SDK compatibility, not upstream security posture.

Author: jacekradko

.changeset/nextjs-security-update.md

@@ -2,4 +2,4 @@
 '@clerk/nextjs': patch
 ---
 
-Update `next` peer dependency to recommend patched versions (`^15.5.15 || ^15.6.0-0 || ^16.2.3`) to address CVE-2026-23869, a high-severity (CVSS 7.5) denial-of-service vulnerability in React Server Components. If you are on an older Next.js version, please upgrade to a patched release as soon as possible.
+Bump `next` devDependency to `15.5.15` to pick up the fix for CVE-2026-23869, a high-severity (CVSS 7.5) denial-of-service vulnerability in React Server Components. If you use the Next.js App Router, we recommend upgrading to Next.js `15.5.15` or `16.2.3`.

packages/nextjs/package.json

@@ -95,7 +95,7 @@
     "next": "15.5.15"
   },
   "peerDependencies": {
-    "next": "^15.2.8 || ^15.3.8 || ^15.4.10 || ^15.5.15 || ^15.6.0-0 || ^16.2.3",
+    "next": "^15.2.8 || ^15.3.8 || ^15.4.10 || ^15.5.9 || ^15.6.0-0 || ^16.0.10 || ^16.1.0-0",
     "react": "catalog:peer-react",
     "react-dom": "catalog:peer-react"
   },