⬆️🩹 Update dependency next to v16.1.7 [SECURITY] (#388)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | [`16.1.6` →
`16.1.7`](https://renovatebot.com/diffs/npm/next/16.1.6/16.1.7) |
![age](https://developer.mend.io/api/mc/badges/age/npm/next/16.1.7?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/16.1.6/16.1.7?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-27978](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx)

## Summary
`origin: null` was treated as a "missing" origin during Server Action
CSRF validation. As a result, requests from opaque contexts (such as
sandboxed iframes) could bypass origin verification instead of being
validated as cross-origin requests.

## Impact
An attacker could induce a victim browser to submit Server Actions from
a sandboxed context, potentially executing state-changing actions with
victim credentials (CSRF).

## Patches
Fixed by treating `'null'` as an explicit origin value and enforcing
host/origin checks unless `'null'` is explicitly allowlisted in
`experimental.serverActions.allowedOrigins`.

## Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer `SameSite=Strict` on sensitive auth cookies.
- Do not allow `'null'` in `serverActions.allowedOrigins` unless
intentionally required and additionally protected.

####
[CVE-2026-27977](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36)

## Summary
In `next dev`, cross-site protection for internal websocket endpoints
could treat `Origin: null` as a bypass case even if
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
is configured, allowing privacy-sensitive/opaque contexts (for example
sandboxed documents) to connect unexpectedly.

## Impact
If a dev server is reachable from attacker-controlled content, an
attacker may be able to connect to the HMR websocket channel and
interact with dev websocket traffic. This affects development mode only.
Apps without a configured
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
still allow connections from any origin.

## Patches
Fixed by validating `Origin: null` through the same cross-site
origin-allowance checks used for other origins.

## Workarounds
If upgrade is not immediately possible:
- Do not expose `next dev` to untrusted networks.
- Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is
`null` at your proxy.

---

### Release Notes

<details>
<summary>vercel/next.js (next)</summary>

###
[`v16.1.7`](https://redirect.github.com/vercel/next.js/compare/v16.1.6...v16.1.7)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v16.1.6...v16.1.7)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/munich-quantum-toolkit/problemsolver).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiamF2YXNjcmlwdCJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

webpage/package-lock.json

@@ -9,7 +9,7 @@
     "lint": "next lint"
   },
   "dependencies": {
-    "next": "16.1.6",
+    "next": "16.1.7",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "react-graph-vis": "^1.0.7",