jsw324 bumps Next.js to 16.0.11, fixes four CVEs, and rebrands to "unburdn law"

Two commits land a Railway deploy push: a security-motivated Next.js patch that closes four CVEs and fixes a peer-dep conflict on fresh installs, plus a surface-level rename from "Mike" to "unburdn law" throughout the product UI and AI personas. The CVE fix is separable and worth a look; the branding diffs are not portable.

brandinginfrastructure

jsw324's fork bumped next and eslint-config-next from the pinned 16.0.3 to ^16.0.11, closing CVE-2025-66478, CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183 - all flagged by Railway's dependency scanner. The same bump unsticks a peer-dep conflict with @opennextjs/cloudflare that was breaking clean installs.

The rebrand is deliberate and surface-only. Changed: the README, the SiteLogo sidebar text, the LLM system prompts in chatTools.ts and tabular.ts, the DOCX tracked-changes author default in docxTrackedChanges.ts, and the signup-flow links (from mikeoss.com to unburdn.ai). Not changed: internal type names, the MikeIcon component, package names, or MIME strings. This is a product-skin deployment under an "unburdn law" brand on Railway, not an OSS distribution.

A follow-up commit removes frontend/bun.lock (4,165 lines). Railpack gives Bun priority when a bun.lock is present; the file was stale while package-lock.json was current, so deleting it forces the build back onto npm.

One caveat if you pull the system-prompt edits: replacing "Mike" with a different name inside the LLM persona changes model self-identification and can shift tone. Re-validate any prompt eval suites before adopting that piece.

So what Worth pulling: the `frontend/package.json` + `package-lock.json` delta for the `^16.0.11` bump - the CVEs are real and the peer-dep fix is free. Skip the branding diffs wholesale. The `bun.lock` deletion only matters if you're deploying via Railway and carrying a stale Bun lockfile.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from jsw324/law-llm, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
492dd408 Bump Next.js to ^16.0.11 and rebrand to unburdn law Jason Walkow 2026-05-03 ↗ GitHub
commit body
Fixes critical CVEs in next@16.0.3 (CVE-2025-66478, CVE-2025-55184,
CVE-2025-67779, CVE-2025-55183) flagged by Railway's security scan. Also
resolves the @opennextjs/cloudflare peer-dep conflict that blocked fresh
installs.

Replaces user-visible "Mike" branding with lowercase "unburdn law" across
page titles, sidebar/logo, AI persona system prompts, DOCX tracked-changes
author, signup terms/privacy URLs, and column-prompt placeholders. Internal
type names, MIME types, package names, and the MikeIcon component are
unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
99375788 Remove frontend/bun.lock so Railpack uses npm + package-lock.json Jason Walkow 2026-05-03 ↗ GitHub
commit body
Railpack prefers bun when bun.lock is present, but the file was stale
relative to package.json after the Next.js bump and failed
--frozen-lockfile. The repo standardizes on npm per the README, so the
bun lockfile is unused - removing it lets Railpack fall back to npm and
the up-to-date package-lock.json.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-104.md from inside the repo you want the changes in.

⬇ Download capture-thread-104.md