Update Next.js to fix security issues

[wbqpk3]

See the OpenSSF security test (#659).

{
      "details": [
        "Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc",
        "Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j",
        "Warn: Project is vulnerable to: GHSA-m95q-7qp3-xv42"
      ],
      "score": 7,
      "reason": "3 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }

# npm audit report

next  0.9.9 - 13.5.4-canary.11
Severity: moderate
Next.js missing cache-control header may lead to CDN caching empty reply - https://github.com/advisories/GHSA-c59h-r6p8-q9wc
Depends on vulnerable versions of postcss
Depends on vulnerable versions of zod
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/next

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/postcss

zod  <=3.22.2
Zod denial of service vulnerability - https://github.com/advisories/GHSA-m95q-7qp3-xv42
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/zod

3 vulnerabilities (1 low, 2 moderate)

To address all issues, run:
  npm audit fix --force

[mcserep]

This has also been reported by dependabot previously, see #640, #641 and #656.

We did not update Next.JS from 13.4 to 13.5, as there were ongoing issues with NextJS 13.5 and MUI compatibility (see vercel/next.js#55663), which I did not want to resolve. See #635 for reference.

Since a month have passed, we can reevaluate this, hopefully they have resolved it since then.

[LoremIPsummer]

@mcserep
Just looked into it. I've managed to reproduce the warning related error with version 13.5.1.
Based on the issue on their repository, the current stable version 14.0.1 seems to be working properly, and besides some very easily resolvable breaking changes, I don't see a reason why we don't just upgrade to it.

[mcserep]

I don't see a reason why we don't just upgrade to it.

Simply because Next.JS 14 was released 2 weeks ago and the original issue is older than that. Next.JS 14 was simply not available at the time.

Now if it working, we can update to it, but we also have to consider the breaking changes, as this is a major version upgrade. I will write regarding that to your PR.