fix: use vercel for vendor in nextjs CPE (#4450)

The recent react / next CVE uses "vercel" as the vendor, see
https://nvd.nist.gov/vuln/detail/CVE-2025-55182

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go

@@ -196,6 +196,11 @@ var defaultCandidateAdditions = buildCandidateLookup(
 			candidateAddition{AdditionalVendors: []string{"handlebarsjs"}},
 		},
 		// NPM packages
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "next"},
+			candidateAddition{AdditionalProducts: []string{"next.js"}, AdditionalVendors: []string{"vercel"}},
+		},
 		{
 			pkg.NpmPkg,
 			candidateKey{PkgName: "hapi"},