chore(deps): update dependency next to v16.0.9 [security] (#8021)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | [`16.0.7` ->
`16.0.9`](https://renovatebot.com/diffs/npm/next/16.0.7/16.0.9) |
![age](https://developer.mend.io/api/mc/badges/age/npm/next/16.0.9?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/16.0.7/16.0.9?slim=true)
|

### GitHub Vulnerability Alerts

####
[GHSA-mwv6-3258-q52c](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c)

A vulnerability affects certain React packages for versions 19.0.0,
19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that
use the affected packages, including Next.js 15.x and 16.x using the App
Router. The issue is tracked upstream as
[CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).

A malicious HTTP request can be crafted and sent to any App Router
endpoint that, when deserialized, can cause the server process to hang
and consume CPU. This can result in denial of service in unpatched
environments.

####
[GHSA-w37m-7fhw-fmv9](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9)

A vulnerability affects certain React packages for versions 19.0.0,
19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that
use the affected packages, including Next.js 15.x and 16.x using the App
Router. The issue is tracked upstream as
[CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183).

A malicious HTTP request can be crafted and sent to any App Router
endpoint that can return the compiled source code of [Server
Functions](https://react.dev/reference/rsc/server-functions). This could
reveal business logic, but would not expose secrets unless they were
hardcoded directly into [Server
Function](https://react.dev/reference/rsc/server-functions) code.

---

### Release Notes

<details>
<summary>vercel/next.js (next)</summary>

###
[`v16.0.9`](https://redirect.github.com/vercel/next.js/compare/v16.0.8...v16.0.9)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v16.0.8...v16.0.9)

###
[`v16.0.8`](https://redirect.github.com/vercel/next.js/compare/v16.0.7...v16.0.8)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v16.0.7...v16.0.8)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/UI5/webcomponents-react).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi40Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuNDIuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

examples/nextjs-app/package-lock.json

@@ -18,7 +18,7 @@
     "@types/react-dom": "19.2.3",
     "eslint": "9.39.1",
     "eslint-config-next": "16.0.7",
-    "next": "16.0.7",
+    "next": "16.0.9",
     "react": "19.2.1",
     "react-dom": "19.2.1",
     "typescript": "5.9.3"

examples/nextjs-app/package.json

@@ -18,7 +18,7 @@
     "@types/react-dom": "19.2.3",
     "eslint": "9.39.1",
     "eslint-config-next": "16.0.7",
-    "next": "16.0.7",
+    "next": "16.0.9",
     "react": "19.2.1",
     "react-dom": "19.2.1",
     "typescript": "5.9.3"