Update React Flight/Next.js RCE vulnerability

# React Flight / Next.js RCE Advisory Fix

## Summary
Updated the Osborne repository to address the React Flight / Next.js RCE advisory by upgrading Next.js to a patched version.

## Vulnerability Assessment
✅ **Project is affected**: Uses Next.js 15.2.4
❌ **Not using React Flight packages**: No react-server-dom-* packages detected

## Changes Made

### Modified Files
1. **client/package.json**
   - Upgraded `next` from `^15.2.4` to `15.2.6` (exact version pin)
   - This is the patched version for Next.js 15.2.x per the advisory guidelines
   - React versions (`react@18.3.1`, `react-dom@18.3.1`) were not modified as they are managed by Next.js

2. **client/package-lock.json**
   - Updated lockfile to reflect Next.js 15.2.6 installation
   - All dependency resolutions verified

## Verification
✅ Dependencies installed successfully with `npm install`
✅ Next.js version confirmed: `next@15.2.6` (verified via `npm list next`)
✅ Production build completed successfully with `next build`
✅ Linter passed with no errors or warnings (`next lint`)
✅ React versions remain at 18.3.1 (compatible with Next.js 15.2.6)

## Implementation Details
- Only modified Next.js version as this is a Next.js project
- Did not modify React versions as Next.js handles React dependency management
- Used exact version pinning (15.2.6) instead of caret to ensure the patched version is used
- No application logic changes were made

## Notes
- The project structure is a monorepo with a Next.js client (`./client`) and a Go server
- Only the client application required updates
- The server component (written in Go) has no Node.js dependencies

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>

client/package.json

@@ -34,7 +34,7 @@
     "lucide-react": "^0.456.0",
     "mini-svg-data-uri": "^1.4.4",
     "monaco-editor": "^0.54.0",
-    "next": "^15.2.4",
+    "next": "15.2.6",
     "next-themes": "^0.4.6",
     "qss": "^3.0.0",
     "react": "^18.3.1",