chore(deps): bump mailparser, nodemailer, and undici

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/SB-1000

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Chores
  • Updated package dependencies including mailparser, nodemailer, and undici to latest compatible versions.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is targeting the wrong base branch. It should target 8.7.0, but it targets 8.6.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 990d121

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Bumps nodemailer from ^8.0.8 to ^9.0.1 and mailparser from ~3.9.10 to ~3.9.11 in apps/meteor/package.json. Updates root Yarn resolutions for nodemailer and undici (pinning undici to ^6.27.0). Adds an npm overrides block in the GitHub Action's package.json to pin undici to 6.27.0.

Changes

Dependency Version Updates

Layer / File(s)	Summary
nodemailer and mailparser bumps apps/meteor/package.json, package.json	Bumps mailparser from ~3.9.10 to ~3.9.11 and nodemailer from ^8.0.8 to ^9.0.1 in the Meteor app manifest; updates the root Yarn resolution for nodemailer to 9.0.1.
undici version pinning package.json, .github/actions/update-version-durability/package.json	Repins undici resolutions for ^6.19.5 and ^6.23.0 ranges to ^6.27.0 in root Yarn resolutions; adds an npm overrides block in the GitHub Action manifest to pin undici to 6.27.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• RocketChat/Rocket.Chat#40966: Updates nodemailer dependency versions in apps/meteor/package.json and/or root package.json, overlapping directly with this PR's changes.
• RocketChat/Rocket.Chat#40978: Also bumps mailparser and nodemailer in apps/meteor/package.json, making it directly related to this PR's dependency changes.

Suggested labels

type: chore

Suggested reviewers

• tassoevan
• yasnagat

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes in the pull request, which involve bumping three specific dependencies: mailparser, nodemailer, and undici across multiple package.json files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• SB-1000: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/package.json`:
- Line 260: Locate the `@types/nodemailer` dependency in package.json (currently
pinned at ^8.0.0) and update it to ^8.0.1 to align with the nodemailer v9.0.1
version already specified in the dependencies. Additionally, review the files
EmailInbox.ts and EmailInbox_Outgoing.ts to ensure they properly handle TLS
certificate validation, as nodemailer v9 now enforces TLS certificate validation
by default for remote content fetching (attachments, OAuth2 endpoints, proxy
connections) and may require configuration adjustments if your code uses remote
attachments or self-signed certificates.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2e63868d-e3d8-4936-ad2f-dde32440e66a

📥 Commits

Reviewing files that changed from the base of the PR and between 7b54fb7 and 990d121.

⛔ Files ignored due to path filters (2)

• .github/actions/update-version-durability/package-lock.json is excluded by !**/package-lock.json
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• .github/actions/update-version-durability/package.json
• apps/meteor/package.json
• package.json

📜 Review details

⏰ Context from checks skipped due to timeout. (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: Hacktron Security Check
• GitHub Check: CodeQL-Build

🔇 Additional comments (3)

apps/meteor/package.json (1)

244-244: LGTM!

.github/actions/update-version-durability/package.json (1)

20-22: LGTM!

package.json (1)

98-99: The resolution mappings are functioning correctly. Both undici ranges converge to a single entry in yarn.lock (^6.27.0), and nodemailer is properly pinned to 9.0.1 with no unexpected range variants present.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Declared nodemailer deps in apps/meteor/package.json =="
python - <<'PY'
import json
p=json.load(open("apps/meteor/package.json"))
print("dependencies.nodemailer =", p.get("dependencies", {}).get("nodemailer"))
print("devDependencies.@types/nodemailer =", p.get("devDependencies", {}).get("`@types/nodemailer`"))
PY

echo
echo "== npm metadata check =="
npm view nodemailer@9.0.1 version types typings
npm view `@types/nodemailer` version

echo
echo "== Nodemailer usage points in email flow =="
rg -nP --type=ts -C2 '\bcreateTransport\b|\bsendMail\b'

Repository: RocketChat/Rocket.Chat

Length of output: 4319

---

🌐 Web query:

nodemailer v9.0.1 breaking changes release notes

💡 Result:

Nodemailer version 9.0.1 was released on June 17, 2026 [1][2][3]. There are no breaking changes associated with this specific patch release; it is categorized as a bug fix release [1][2]. The release primarily addresses the following issue: - Enforces disableFileAccess and disableUrlAccess for the raw message option [1][2]. For users upgrading from version 9.0.0, this release is a maintenance update intended to improve security and handling of raw message access [1][2]. Users upgrading from earlier versions (e.g., v8.x) should review the migration path to v9.0.0, as breaking changes may have been introduced in the major version transition [4].

Citations:

• 1: https://github.com/nodemailer/nodemailer/releases
• 2: chore(master): release 9.0.1 nodemailer/nodemailer#1828
• 3: https://registry.npmjs.org/nodemailer
• 4: nodemailer/nodemailer@v8.0.9...v9.0.1

---

🏁 Script executed:

# Check the specific lines in package.json to confirm versions
sed -n '258,262p' apps/meteor/package.json
sed -n '379,383p' apps/meteor/package.json

# Check if there are TypeScript errors by examining the actual type imports/usage
rg -A5 -B5 'import.*nodemailer' apps/meteor/server/features/EmailInbox/

Repository: RocketChat/Rocket.Chat

Length of output: 2638

---

🌐 Web query:

nodemailer v8 to v9 breaking changes migration guide

💡 Result:

As of June 22, 2026, Nodemailer v9.0.0 was released on June 14, 2026 [1][2]. This version introduces a single, critical breaking change related to TLS security [3][2]. Breaking Change: TLS Certificate Validation HTTPS requests made by Nodemailer when fetching remote content now validate TLS certificates by default [3][2]. This affects operations such as fetching remote attachments (via href or path URLs), OAuth2 token endpoints, and HTTP/HTTPS proxy connections [3][2]. Impact: Previously, Nodemailer did not strictly validate TLS certificates for these remote requests, which allowed connections to hosts with self-signed, expired, or hostname-mismatched certificates to succeed [3][2]. Under v9.0.0 and later, these connections will fail by default [3][2]. Migration/Action Required: If your application depends on fetching content from servers that use self-signed certificates or have invalid/expired TLS configurations, you must explicitly opt out of strict validation for those specific requests [3][2]. You can disable certificate validation by setting tls.rejectUnauthorized = false [3][2]. This can be configured in two ways: 1. Transport Options: Set it globally in the transport configuration. 2. Per-Attachment: Set it within the tls option of a specific attachment. Example: If you have a remote attachment failing due to this change, you can update your attachment definition: { path: 'https://example.com/some-file.pdf', tls: { rejectUnauthorized: false } } No other significant breaking changes were introduced in the v9.0.0 release [3][2].

Citations:

• 1: https://github.com/nodemailer/nodemailer/releases
• 2: chore(master): release 9.0.0 nodemailer/nodemailer#1827
• 3: nodemailer/nodemailer@v8.0.11...v9.0.0

---

🌐 Web query:

@types/nodemailer 8.0.0 compatibility nodemailer 9.0.1

💡 Result:

As of June 22, 2026, @types/nodemailer version 8.0.1 is the recommended and most up-to-date set of type definitions, which provides compatibility for Nodemailer version 9.x [1]. While you specifically asked about @types/nodemailer 8.0.0, note that this version was released on April 4, 2026 [2][3]. Shortly thereafter, @types/nodemailer 8.0.1 was released on June 10, 2026, to ensure better alignment with the latest Nodemailer releases [1][4]. Nodemailer itself reached version 9.0.1 on June 17, 2026 [5][6]. Because Nodemailer does not maintain its own TypeScript definitions—relying instead on the community-maintained DefinitelyTyped project—you should always use the latest version of @types/nodemailer available on npm to ensure full compatibility with the corresponding Nodemailer minor and patch releases [7][8]. Using @types/nodemailer 8.0.1 is the appropriate choice for Nodemailer 9.0.1 [1].

Citations:

• 1: https://npmx.dev/package/@types/nodemailer/versions
• 2: https://registry.npmjs.org/%40types%2Fnodemailer
• 3: https://www.npmjs.com/package/@types/nodemailer
• 4: https://npmx.dev/package-timeline/@types/nodemailer/v/8.0.0
• 5: https://github.com/nodemailer/nodemailer/releases
• 6: chore(master): release 9.0.1 nodemailer/nodemailer#1828
• 7: https://npmx.dev/package/nodemailer/v/9.0.1
• 8: https://www.npmjs.com/package/nodemailer

---

🏁 Script executed:

# Get more context on the type imports and usage
cat -n apps/meteor/server/features/EmailInbox/EmailInbox.ts | head -100

# Check if Mail.Options is used and how
rg -n 'Mail\.Options\|Mail\.' apps/meteor/server/features/EmailInbox/

Repository: RocketChat/Rocket.Chat

Length of output: 3573

---

Update @types/nodemailer to ^8.0.1 for alignment with nodemailer v9.

@types/nodemailer is currently pinned at ^8.0.0, but @types/nodemailer@8.0.1 (released June 10, 2026) is the recommended version for nodemailer v9.x. While the patch difference is minor and the current types should function correctly with nodemailer v9.0.1, the versions should be aligned.

Additionally, note that nodemailer v9 introduces a breaking change unrelated to types: TLS certificate validation is now enforced by default for remote content fetching (attachments, OAuth2 endpoints, proxy connections). If your usage of nodemailer in EmailInbox.ts / EmailInbox_Outgoing.ts involves remote attachments or self-signed certificates, ensure proper TLS handling is configured.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/package.json` at line 260, Locate the `@types/nodemailer`
dependency in package.json (currently pinned at ^8.0.0) and update it to ^8.0.1
to align with the nodemailer v9.0.1 version already specified in the
dependencies. Additionally, review the files EmailInbox.ts and
EmailInbox_Outgoing.ts to ensure they properly handle TLS certificate
validation, as nodemailer v9 now enforces TLS certificate validation by default
for remote content fetching (attachments, OAuth2 endpoints, proxy connections)
and may require configuration adjustments if your code uses remote attachments
or self-signed certificates.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.11%. Comparing base (7b54fb7) to head (990d121).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #41039      +/-   ##
===========================================
- Coverage    70.19%   70.11%   -0.08%     
===========================================
  Files         3360     3360              
  Lines       129668   129668              
  Branches     22485    22433      -52     
===========================================
- Hits         91017    90918      -99     
- Misses       35339    35434      +95     
- Partials      3312     3316       +4     

Flag	Coverage Δ
e2e	59.31% <ø> (-0.13%)	⬇️
e2e-api	46.27% <ø> (-0.09%)	⬇️
unit	70.04% <ø> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.