Skip to content

chore(deps): clear pnpm audit gate — nodemailer 9, undici/js-yaml overrides (PP-6ln1)#1565

Merged
timothyfroehlich merged 1 commit into
mainfrom
fix/audit-gate-deps-PP-6ln1
Jun 19, 2026
Merged

chore(deps): clear pnpm audit gate — nodemailer 9, undici/js-yaml overrides (PP-6ln1)#1565
timothyfroehlich merged 1 commit into
mainfrom
fix/audit-gate-deps-PP-6ln1

Conversation

@timothyfroehlich

Copy link
Copy Markdown
Owner

Why

CI's pnpm audit --audit-level=high gate went RED on main (advisories published 2026-06-17), cascading into CI Gate and blocking every open PR (#1558#1562, #1388). This is the root-cause fix the huddle flagged on 2026-06-19; PP-vsdo (the /audit-override comment command) is the complementary per-PR escape hatch and is being built separately this session.

What

Advisory Severity Package Path Fix
GHSA-p6gq-j5cr-w38f high nodemailer <=9.0.0 direct bump ^8.0.5^9.0.1
GHSA-vmh5-mc38-953g high undici >=7.23<7.28 vitest→jsdom override ^7.28.0
GHSA-h67p-54hq-rp68 moderate js-yaml <=4.1.1 @eslint/eslintrc override >=4.2.0

pnpm audit is now fully clean (was: 2 high + 2 moderate).

Risk notes

  • nodemailer 8→9 is a major bump, but we use it only for the local/test SMTP transport (Mailpit) in src/lib/email/transport.ts — production email is Resend. The advisory concerns the message-level raw option, which we never set. @types/nodemailer has no v9 published yet, so it stays ^8.0.0; typecheck is green against nodemailer 9.
  • undici is pinned to ^7.28.0 (not >=) deliberately — an open-ended bound pulls undici 8.x, which jsdom@29 was not built against. Staying on the 7.x line keeps jsdom's fetch path intact.
  • The SMTPTransport is exercised against real Mailpit by src/test/integration/supabase/email-transport.test.ts (CI test-integration-supabase), which validates the nodemailer 9 bump end-to-end.

Verification

  • pnpm audit / pnpm audit --audit-level=high: clean ✅
  • pnpm run check (types, lint, format, 1261 unit + 70 py tests): green ✅
  • Full build + integration + integration-supabase + E2E: relying on CI.

PP-6ln1.

🤖 Generated with Claude Code

…rrides

The CI `pnpm audit --audit-level=high` gate went RED on main (advisories
published 2026-06-17), cascading into CI Gate and blocking every open PR.

- nodemailer ^8.0.5 → ^9.0.1: high SSRF/arbitrary-file-read advisory
  GHSA-p6gq-j5cr-w38f (message-level `raw` option). We only use nodemailer
  for the local/test SMTP transport (Mailpit); production uses Resend, and
  our usage doesn't touch `raw`. @types/nodemailer stays ^8.0.0 (no v9
  published); typecheck is green against nodemailer 9.
- pnpm override undici ^7.28.0: high TLS-cert-bypass GHSA-vmh5-mc38-953g
  (transitive via vitest→jsdom). Pinned to the 7.x line jsdom@29 expects.
- pnpm override js-yaml >=4.2.0: moderate quadratic-DoS GHSA-h67p-54hq-rp68
  (transitive via @eslint/eslintrc); clears the last remaining advisory.

`pnpm audit` is now fully clean. SMTP transport is exercised against Mailpit
by the email-transport integration test (CI test-integration-supabase).

PP-6ln1.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 19, 2026 03:40

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@vercel

vercel Bot commented Jun 19, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
pin-point Ready Ready Preview, Comment Jun 19, 2026 3:42am

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants