fix: upgrade protobufjs to 6.11.6 & fix other issues when bumping related deps

[lochie]

Resolves CVE-2026-41242 by forcing protobufjs to patched version 6.11.6. The vulnerability was present in protobufjs <7.5.5, and is backported to 6.x via the 6.11.6 release. This maintains API compatibility with existing consumers that depend on protobufjs ^6.x via @cowprotocol/cow-sdk."

Fixes Dependabot alert: https://github.com/aave/interface/security/dependabot/161

General Changes

• Resolves "protobufjs": "^6.11.6"
• Fixes broken clsx import in Link component
• Updates next.js to v13 to fix build errors
• Updates other vuln deps e.g qs
• Pins react version types
• Removes unused imports
• Updates types for tanstack query

---

Reviewer Checklist

Please ensure you, as the reviewer(s), have gone through this checklist to ensure that the code changes are ready to ship safely and to help mitigate any downstream issues that may occur.

• End-to-end tests are passing without any errors
• Code changes do not significantly increase the application bundle size
• If there are new 3rd-party packages, they do not introduce potential security threats
• If there are new environment variables being added, they have been added to the .env.example file as well as the pertinant .github/actions/* files
• There are no CI changes, or they have been approved by the DevOps and Engineering team(s)

[linear]

FAMILY-647

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
interface	Ready	Preview, Comment	Jun 4, 2026 11:15am

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ⚠️ 24 packages with OpenSSF Scorecard issues.

View full job summary

[github-actions]

• Ipfs hash: bafybeieejr6aeyt5d6wwgyf2mgysve3rfl2ihfb44cshqasb6yyee7u6n4
• Ipfs preview link: https://bafybeieejr6aeyt5d6wwgyf2mgysve3rfl2ihfb44cshqasb6yyee7u6n4.ipfs.cf-ipfs.com/

[github-actions]

📦 Next.js Bundle Analysis for aave-ui

This analysis was generated by the Next.js Bundle Analysis action. 🤖

⚠️ Global Bundle Size Increased

Page	Size (compressed)
global	1.2 MB (🟡 +46.78 KB)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

Eighteen Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load
/	67.4 KB (🟢 -673 B)	1.26 MB
/404	2.85 KB (🟢 -15 B)	1.2 MB
/500	3.18 KB (🟢 -18 B)	1.2 MB
/_error	1.98 KB (🟢 -53 B)	1.2 MB
/bridge	38.01 KB (🔴 +8.97 KB)	1.23 MB
/dashboard	56.94 KB (🟢 -639 B)	1.25 MB
/faucet	15.12 KB (🟢 -85 B)	1.21 MB
/governance	90.11 KB (🟡 +8.89 KB)	1.29 MB
/governance/ipfs-preview	101.64 KB (🟢 -405 B)	1.3 MB
/governance/v3/proposal	133.71 KB (🟡 +8.16 KB)	1.33 MB
/history	36.14 KB (🟡 +35 B)	1.23 MB
/markets	39.81 KB (🟢 -473 B)	1.24 MB
/reserve-overview	25.76 KB (🟢 -412 B)	1.22 MB
/safety-module	41.64 KB (🔴 +8.56 KB)	1.24 MB
/sentry-example	2.76 KB (🟢 -50 B)	1.2 MB
/sgho	80.26 KB (🟢 -837 B)	1.28 MB
/staking	33.48 KB (🟢 -218 B)	1.23 MB
/v3-migration	37.95 KB (🟡 +2 B)	1.23 MB

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this.

[github-actions]

• Ipfs hash: bafybeidl462jessbhakmtyoeifhwd4wviwgcsioxe2lp4c7nlqjaobwaji
• Ipfs preview link: https://bafybeidl462jessbhakmtyoeifhwd4wviwgcsioxe2lp4c7nlqjaobwaji.ipfs.cf-ipfs.com/

[github-actions]

📦 Next.js Bundle Analysis for aave-ui

This analysis was generated by the Next.js Bundle Analysis action. 🤖

⚠️ Global Bundle Size Increased

Page	Size (compressed)
global	1.24 MB (🟡 +94.42 KB)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

Eighteen Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load
/	69.35 KB (🟡 +1.29 KB)	1.31 MB
/404	2.9 KB (🟡 +35 B)	1.25 MB
/500	3.22 KB (🟡 +30 B)	1.25 MB
/_error	2.01 KB (🟢 -22 B)	1.25 MB
/bridge	33.63 KB (🟡 +4.59 KB)	1.28 MB
/dashboard	58.65 KB (🟡 +1.09 KB)	1.3 MB
/faucet	15.35 KB (🟡 +150 B)	1.26 MB
/governance	87.57 KB (🟡 +6.35 KB)	1.33 MB
/governance/ipfs-preview	105.47 KB (🟡 +3.43 KB)	1.35 MB
/governance/v3/proposal	133.69 KB (🟡 +8.14 KB)	1.37 MB
/history	36.89 KB (🟡 +803 B)	1.28 MB
/markets	41.05 KB (🟡 +800 B)	1.28 MB
/reserve-overview	26.6 KB (🟡 +445 B)	1.27 MB
/safety-module	33.45 KB (🟡 +374 B)	1.28 MB
/sentry-example	2.82 KB (🟡 +6 B)	1.25 MB
/sgho	83.21 KB (🟡 +2.14 KB)	1.33 MB
/staking	34.49 KB (🟡 +810 B)	1.28 MB
/v3-migration	38.49 KB (🟡 +550 B)	1.28 MB

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this.

[github-actions]

• Ipfs hash: bafybeifks7aefc64xqerbibfqi6iaz52nz6idpld6kfv72fxprr5uzonni
• Ipfs preview link: https://bafybeifks7aefc64xqerbibfqi6iaz52nz6idpld6kfv72fxprr5uzonni.ipfs.cf-ipfs.com/

[github-actions]

📦 Next.js Bundle Analysis for aave-ui

This analysis was generated by the Next.js Bundle Analysis action. 🤖

⚠️ Global Bundle Size Increased

Page	Size (compressed)
global	1.25 MB (🟡 +103.83 KB)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

Eighteen Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load
/	67.04 KB (🟢 -1.07 KB)	1.32 MB
/404	2.84 KB (🟢 -27 B)	1.26 MB
/500	3.17 KB (🟢 -27 B)	1.26 MB
/_error	1.99 KB (🟢 -44 B)	1.26 MB
/bridge	37.99 KB (🔴 +8.96 KB)	1.29 MB
/dashboard	56.68 KB (🟢 -948 B)	1.31 MB
/faucet	15.05 KB (🟢 -156 B)	1.27 MB
/governance	90.01 KB (🟡 +8.79 KB)	1.34 MB
/governance/ipfs-preview	101.76 KB (🟢 -293 B)	1.35 MB
/governance/v3/proposal	133.73 KB (🟡 +8.17 KB)	1.39 MB
/history	36.33 KB (🟡 +235 B)	1.29 MB
/markets	39.7 KB (🟢 -630 B)	1.29 MB
/reserve-overview	25.69 KB (🟢 -483 B)	1.28 MB
/safety-module	41.54 KB (🔴 +8.41 KB)	1.3 MB
/sentry-example	2.74 KB (🟢 -71 B)	1.26 MB
/sgho	80.83 KB (🟢 -297 B)	1.33 MB
/staking	33.49 KB (🟢 -215 B)	1.29 MB
/v3-migration	37.72 KB (🟢 -285 B)	1.29 MB

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this.