fix: upgrade Next.js to 15.5.18 for security vulnerabilities

[sergical]

DESCRIBE YOUR PR

Upgrades Next.js from ^15.5.14 to ^15.5.18 to address 13 critical and high-severity CVEs disclosed on 2026-05-06.

Key vulnerabilities addressed:

• GHSA-26hh-7cqf-hhc6 (High): Middleware bypass via x-nextjs-data / __nextjs_segment_prefetch headers — the follow-up fix requiring 15.5.18
• GHSA-492v-c6pp-mqqv (High): Middleware bypass via dynamic route injection
• GHSA-c4j6-fc7j-m34r (High): SSRF via WebSocket upgrades in next dev
• GHSA-8h8q-6873-q5fj (High): DoS with Server Components
• GHSA-mg66-mrh9-m8jx (High): DoS via Cache Components
• CVE-2026-23870 (High): React Server Components DoS

References:

• https://developers.cloudflare.com/changelog/post/2026-05-06-react-nextjs-vulnerabilities/
• https://github.com/vercel/next.js/security/advisories

Changes:

• package.json: bumped next from ^15.5.14 to ^15.5.18
• pnpm-lock.yaml: updated lockfile accordingly

IS YOUR CHANGE URGENT?

Help us prioritize incoming PRs by letting us know when the change needs to go live.

• Urgent deadline (GA date, etc.): ASAP — active security vulnerabilities
• Other deadline:
• None: Not urgent, can wait up to 1 week+

SLA

• Teamwork makes the dream work, so please add a reviewer to your PRs.
• Please give the docs team up to 1 week to review your PR unless you've added an urgent due date to it.
  Thanks in advance for your help!

PRE-MERGE CHECKLIST

Make sure you've checked the following before merging your changes:

• Checked Vercel preview for correctness, including links
• PR was reviewed and approved by any necessary SMEs (subject matter experts)
• PR was reviewed and approved by a member of the Sentry docs team

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
develop-docs	Ready	Preview, Comment	May 7, 2026 10:44pm
sentry-docs	Ready	Preview, Comment	May 7, 2026 10:44pm