jsw324 bumps Next.js to 16.0.11, fixes four CVEs, and rebrands to "unburdn law"
Two commits land a Railway deploy push: a security-motivated Next.js patch that closes four CVEs and fixes a peer-dep conflict on fresh installs, plus a surface-level rename from "Mike" to "unburdn law" throughout the product UI and AI personas. The CVE fix is separable and worth a look; the branding diffs are not portable.
jsw324's fork bumped next and eslint-config-next from the pinned 16.0.3 to ^16.0.11, closing CVE-2025-66478, CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183 - all flagged by Railway's dependency scanner. The same bump unsticks a peer-dep conflict with @opennextjs/cloudflare that was breaking clean installs.
The rebrand is deliberate and surface-only. Changed: the README, the SiteLogo sidebar text, the LLM system prompts in chatTools.ts and tabular.ts, the DOCX tracked-changes author default in docxTrackedChanges.ts, and the signup-flow links (from mikeoss.com to unburdn.ai). Not changed: internal type names, the MikeIcon component, package names, or MIME strings. This is a product-skin deployment under an "unburdn law" brand on Railway, not an OSS distribution.
A follow-up commit removes frontend/bun.lock (4,165 lines). Railpack gives Bun priority when a bun.lock is present; the file was stale while package-lock.json was current, so deleting it forces the build back onto npm.
One caveat if you pull the system-prompt edits: replacing "Mike" with a different name inside the LLM persona changes model self-identification and can shift tone. Re-validate any prompt eval suites before adopting that piece.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?