Update dependency devalue to v5 [SECURITY] (#4733)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [devalue](https://redirect.github.com/sveltejs/devalue) | [`4.3.3` -> `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2025-57820](https://redirect.github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)

## 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

## 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://redirect.github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://redirect.github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://redirect.github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://redirect.github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://redirect.github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://redirect.github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://redirect.github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://redirect.github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://redirect.github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://redirect.github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://redirect.github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://redirect.github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://redirect.github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://redirect.github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://redirect.github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://redirect.github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://redirect.github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://redirect.github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://redirect.github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://redirect.github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://redirect.github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://redirect.github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://redirect.github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://redirect.github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://redirect.github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://redirect.github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://redirect.github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://redirect.github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://redirect.github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).

Author: renovate[bot]

packages/next/package.json

@@ -223,7 +223,7 @@
     "cssnano-preset-default": "7.0.7",
     "data-uri-to-buffer": "6.0.2",
     "debug": "4.4.1",
-    "devalue": "4.3.3",
+    "devalue": "5.3.2",
     "domain-browser": "5.7.0",
     "edge-runtime": "2.5.10",
     "events": "3.3.0",