The recently disclosed Next.js CVE-2025-66478 does NOT affect any @proofkit packages such as @proofkit/fmdapi or @proofkit/webviewer, but apps build with the @proofkit/cli (e.g. pnpm create proofkit) should still update the Next.js version as outlined in the Next.js disclosure article to protect your own app and infrastructure.
Newly created ProofKit projects will install a patched version of Next.js by default, but only because the version specifier allows the newest minor versions. You may still want to run the upgrade command to be more explicit about the version of Next.js you want to run.