chore: replace stale Next/PostCSS security bump PR from current main

[bntvllnt]

Summary

• replace stale dependabot PR chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates #263 with a clean remediation path from current main
• bump apps/registry next from 16.1.6 to 16.2.3 for the CVE-2026-23869 backport release
• bump packages/ui postcss from ^8.5.6 to ^8.5.10 for the non-bundler </style> XSS fix

Context

• chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates #263 is stale and now fails CI on an outdated branch state instead of the dependency update itself
• repo policy requires an issue-linked PR body, so the replacement PR needs a canonical issue reference

Sources

• Next.js v16.2.3 release note: https://vercel.com/changelog/summary-of-cve-2026-23869
• PostCSS 8.5.10 changelog: https://github.com/postcss/postcss/releases/tag/8.5.10

[github-actions]

This issue is missing a type (Task / Bug / Feature). A maintainer will set one shortly. See CONTRIBUTING.md → Issue types.