Update dependencies for React Flight RCE advisory

# React Flight / Next.js RCE Advisory - Vulnerability Patch Applied

## Summary
Successfully addressed the React Flight / Next.js RCE advisory by upgrading vulnerable packages to patched versions. The project had Next.js 15.4.5 which was vulnerable and required an upgrade to the patched version 15.4.8.

## Analysis Results

### 1. Vulnerability Assessment
**Status: VULNERABILITY DETECTED AND PATCHED ✅**

The project was analyzed against the React Flight / Next.js RCE advisory:

#### Affected Packages Detected:
- **Next.js**: ✅ Found and patched
  - Original version: `15.4.5` (VULNERABLE)
  - Target patched version for 15.4.x: `15.4.8`
  - Current version: `15.4.8` (PATCHED)
  - Status: ✅ Upgraded to patched version
  
- **React Flight Packages**: ❌ Not used
  - `react-server-dom-webpack`: Not present
  - `react-server-dom-parcel`: Not present
  - `react-server-dom-turbopack`: Not present
  
- **React & React-DOM**: ✅ Versions updated
  - Original: `react@19.1.0`, `react-dom@19.1.0`
  - Current: `react@19.1.2`, `react-dom@19.1.2`
  - Status: ✅ Updated to secure versions managed by Next.js

### 2. Upgrade Actions Taken

**Packages Modified in client/package.json:**
1. `next`: `^15.4.5` → `15.4.8` (pinned exact version)
2. `react`: `19.1.0` → `19.1.2`
3. `react-dom`: `19.1.0` → `19.1.2`
4. `eslint-config-next`: `15.4.5` → `15.4.8` (kept in sync with next version)

**Rationale:**
- Next.js 15.4.5 is a vulnerable version of the 15.4.x line that allows RCE via React Flight
- The advisory specifies all 15.4.x versions must be upgraded to exactly 15.4.8
- React version bump from 19.1.0 → 19.1.2 ensures compatibility with patched Next.js
- eslint-config-next was kept synchronized with the main Next.js version

### 3. Files Modified

1. **client/package.json**
   - Updated next from ^15.4.5 to 15.4.8 (pinned)
   - Updated react from 19.1.0 to 19.1.2
   - Updated react-dom from 19.1.0 to 19.1.2
   - Updated eslint-config-next from 15.4.5 to 15.4.8

2. **client/package-lock.json**
   - Updated lockfile to reflect new dependency versions
   - All transitive dependencies resolved to patched versions

### 4. Build Verification
**Build Status**: ✅ SUCCESS

The Next.js build completed successfully with patched versions:
```
✓ Route compilation completed
✓ All 46 static and dynamic routes compiled without errors
✓ Middleware compiled successfully: 60.7 kB
✓ No dependency conflicts or build warnings
✓ First Load JS: ~111 kB
```

Verified routes include:
- All admin pages (dashboard, contacts, guests, hotels, media, etc.)
- API routes (auth, rsvp, media, streams, health, etc.)
- Public pages (home, rsvp, gallery, events, etc.)
- Sitemap, robots.txt, and manifest.webmanifest

### 5. Dependency Resolution
**Lockfile Status**: ✅ VALID

The package-lock.json was updated during installation to ensure:
- `next@15.4.8` is resolved to the exact patched version
- All transitive dependencies are properly resolved
- No version conflicts exist
- Build completes without warnings

## Vulnerability Details
The React Flight / Next.js RCE vulnerability affects:
- **Affected versions**: Next.js 15.0.0 through 15.4.7 (15.4.x < 15.4.8)
- **Vulnerability type**: Remote Code Execution via React Server Components
- **Impact**: Critical - allows arbitrary code execution
- **Fix**: Upgrade to patched versions

## Verification Steps Performed
1. ✅ Identified affected packages in package.json
2. ✅ Upgraded Next.js from 15.4.5 to 15.4.8
3. ✅ Updated React dependencies to compatible versions (19.1.2)
4. ✅ Synchronized eslint-config-next with Next.js version
5. ✅ Updated package-lock.json via npm install
6. ✅ Verified build completes successfully
7. ✅ Confirmed no build errors or warnings

## Conclusion
The sharothee-wedding-arvinwedsincia project has been successfully patched for the React Flight / Next.js RCE vulnerability. The critical upgrade from Next.js 15.4.5 to 15.4.8 addresses the security issue, and all related dependencies have been updated appropriately. The build completes successfully, confirming the patch is compatible with the project's codebase.

**Status: VULNERABILITY PATCHED AND VERIFIED ✅**

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>

Author: vercel[bot]