chore(deps): bump mailparser, nodemailer, and undici#41039
chore(deps): bump mailparser, nodemailer, and undici#41039julio-rocketchat wants to merge 2 commits into
Conversation
|
Looks like this PR is not ready to merge, because of the following issues:
Please fix the issues and try again If you have any trouble, please check the PR guidelines |
|
WalkthroughBumps ChangesDependency Version Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Warning Review ran into problems🔥 ProblemsErrors were encountered while retrieving linked issues. Errors (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/meteor/package.json`:
- Line 260: Locate the `@types/nodemailer` dependency in package.json (currently
pinned at ^8.0.0) and update it to ^8.0.1 to align with the nodemailer v9.0.1
version already specified in the dependencies. Additionally, review the files
EmailInbox.ts and EmailInbox_Outgoing.ts to ensure they properly handle TLS
certificate validation, as nodemailer v9 now enforces TLS certificate validation
by default for remote content fetching (attachments, OAuth2 endpoints, proxy
connections) and may require configuration adjustments if your code uses remote
attachments or self-signed certificates.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2e63868d-e3d8-4936-ad2f-dde32440e66a
⛔ Files ignored due to path filters (2)
.github/actions/update-version-durability/package-lock.jsonis excluded by!**/package-lock.jsonyarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (3)
.github/actions/update-version-durability/package.jsonapps/meteor/package.jsonpackage.json
📜 Review details
⏰ Context from checks skipped due to timeout. (3)
- GitHub Check: 📦 Build Packages
- GitHub Check: Hacktron Security Check
- GitHub Check: CodeQL-Build
🔇 Additional comments (3)
apps/meteor/package.json (1)
244-244: LGTM!.github/actions/update-version-durability/package.json (1)
20-22: LGTM!package.json (1)
98-99: The resolution mappings are functioning correctly. Bothundiciranges converge to a single entry inyarn.lock(^6.27.0), andnodemaileris properly pinned to9.0.1with no unexpected range variants present.
| "node-fetch": "2.7.0", | ||
| "node-rsa": "^1.1.1", | ||
| "nodemailer": "^8.0.8", | ||
| "nodemailer": "^9.0.1", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Declared nodemailer deps in apps/meteor/package.json =="
python - <<'PY'
import json
p=json.load(open("apps/meteor/package.json"))
print("dependencies.nodemailer =", p.get("dependencies", {}).get("nodemailer"))
print("devDependencies.@types/nodemailer =", p.get("devDependencies", {}).get("`@types/nodemailer`"))
PY
echo
echo "== npm metadata check =="
npm view nodemailer@9.0.1 version types typings
npm view `@types/nodemailer` version
echo
echo "== Nodemailer usage points in email flow =="
rg -nP --type=ts -C2 '\bcreateTransport\b|\bsendMail\b'Repository: RocketChat/Rocket.Chat
Length of output: 4319
🌐 Web query:
nodemailer v9.0.1 breaking changes release notes
💡 Result:
Nodemailer version 9.0.1 was released on June 17, 2026 [1][2][3]. There are no breaking changes associated with this specific patch release; it is categorized as a bug fix release [1][2]. The release primarily addresses the following issue: - Enforces disableFileAccess and disableUrlAccess for the raw message option [1][2]. For users upgrading from version 9.0.0, this release is a maintenance update intended to improve security and handling of raw message access [1][2]. Users upgrading from earlier versions (e.g., v8.x) should review the migration path to v9.0.0, as breaking changes may have been introduced in the major version transition [4].
Citations:
- 1: https://github.com/nodemailer/nodemailer/releases
- 2: chore(master): release 9.0.1 nodemailer/nodemailer#1828
- 3: https://registry.npmjs.org/nodemailer
- 4: nodemailer/nodemailer@v8.0.9...v9.0.1
🏁 Script executed:
# Check the specific lines in package.json to confirm versions
sed -n '258,262p' apps/meteor/package.json
sed -n '379,383p' apps/meteor/package.json
# Check if there are TypeScript errors by examining the actual type imports/usage
rg -A5 -B5 'import.*nodemailer' apps/meteor/server/features/EmailInbox/Repository: RocketChat/Rocket.Chat
Length of output: 2638
🌐 Web query:
nodemailer v8 to v9 breaking changes migration guide
💡 Result:
As of June 22, 2026, Nodemailer v9.0.0 was released on June 14, 2026 [1][2]. This version introduces a single, critical breaking change related to TLS security [3][2]. Breaking Change: TLS Certificate Validation HTTPS requests made by Nodemailer when fetching remote content now validate TLS certificates by default [3][2]. This affects operations such as fetching remote attachments (via href or path URLs), OAuth2 token endpoints, and HTTP/HTTPS proxy connections [3][2]. Impact: Previously, Nodemailer did not strictly validate TLS certificates for these remote requests, which allowed connections to hosts with self-signed, expired, or hostname-mismatched certificates to succeed [3][2]. Under v9.0.0 and later, these connections will fail by default [3][2]. Migration/Action Required: If your application depends on fetching content from servers that use self-signed certificates or have invalid/expired TLS configurations, you must explicitly opt out of strict validation for those specific requests [3][2]. You can disable certificate validation by setting tls.rejectUnauthorized = false [3][2]. This can be configured in two ways: 1. Transport Options: Set it globally in the transport configuration. 2. Per-Attachment: Set it within the tls option of a specific attachment. Example: If you have a remote attachment failing due to this change, you can update your attachment definition: { path: 'https://example.com/some-file.pdf', tls: { rejectUnauthorized: false } } No other significant breaking changes were introduced in the v9.0.0 release [3][2].
Citations:
- 1: https://github.com/nodemailer/nodemailer/releases
- 2: chore(master): release 9.0.0 nodemailer/nodemailer#1827
- 3: nodemailer/nodemailer@v8.0.11...v9.0.0
🌐 Web query:
@types/nodemailer 8.0.0 compatibility nodemailer 9.0.1
💡 Result:
As of June 22, 2026, @types/nodemailer version 8.0.1 is the recommended and most up-to-date set of type definitions, which provides compatibility for Nodemailer version 9.x [1]. While you specifically asked about @types/nodemailer 8.0.0, note that this version was released on April 4, 2026 [2][3]. Shortly thereafter, @types/nodemailer 8.0.1 was released on June 10, 2026, to ensure better alignment with the latest Nodemailer releases [1][4]. Nodemailer itself reached version 9.0.1 on June 17, 2026 [5][6]. Because Nodemailer does not maintain its own TypeScript definitions—relying instead on the community-maintained DefinitelyTyped project—you should always use the latest version of @types/nodemailer available on npm to ensure full compatibility with the corresponding Nodemailer minor and patch releases [7][8]. Using @types/nodemailer 8.0.1 is the appropriate choice for Nodemailer 9.0.1 [1].
Citations:
- 1: https://npmx.dev/package/@types/nodemailer/versions
- 2: https://registry.npmjs.org/%40types%2Fnodemailer
- 3: https://www.npmjs.com/package/@types/nodemailer
- 4: https://npmx.dev/package-timeline/@types/nodemailer/v/8.0.0
- 5: https://github.com/nodemailer/nodemailer/releases
- 6: chore(master): release 9.0.1 nodemailer/nodemailer#1828
- 7: https://npmx.dev/package/nodemailer/v/9.0.1
- 8: https://www.npmjs.com/package/nodemailer
🏁 Script executed:
# Get more context on the type imports and usage
cat -n apps/meteor/server/features/EmailInbox/EmailInbox.ts | head -100
# Check if Mail.Options is used and how
rg -n 'Mail\.Options\|Mail\.' apps/meteor/server/features/EmailInbox/Repository: RocketChat/Rocket.Chat
Length of output: 3573
Update @types/nodemailer to ^8.0.1 for alignment with nodemailer v9.
@types/nodemailer is currently pinned at ^8.0.0, but @types/nodemailer@8.0.1 (released June 10, 2026) is the recommended version for nodemailer v9.x. While the patch difference is minor and the current types should function correctly with nodemailer v9.0.1, the versions should be aligned.
Additionally, note that nodemailer v9 introduces a breaking change unrelated to types: TLS certificate validation is now enforced by default for remote content fetching (attachments, OAuth2 endpoints, proxy connections). If your usage of nodemailer in EmailInbox.ts / EmailInbox_Outgoing.ts involves remote attachments or self-signed certificates, ensure proper TLS handling is configured.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@apps/meteor/package.json` at line 260, Locate the `@types/nodemailer`
dependency in package.json (currently pinned at ^8.0.0) and update it to ^8.0.1
to align with the nodemailer v9.0.1 version already specified in the
dependencies. Additionally, review the files EmailInbox.ts and
EmailInbox_Outgoing.ts to ensure they properly handle TLS certificate
validation, as nodemailer v9 now enforces TLS certificate validation by default
for remote content fetching (attachments, OAuth2 endpoints, proxy connections)
and may require configuration adjustments if your code uses remote attachments
or self-signed certificates.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #41039 +/- ##
===========================================
- Coverage 70.19% 70.11% -0.08%
===========================================
Files 3360 3360
Lines 129668 129668
Branches 22485 22433 -52
===========================================
- Hits 91017 90918 -99
- Misses 35339 35434 +95
- Partials 3312 3316 +4
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
1 participant
Proposed changes (including videos or screenshots)
Issue(s)
https://rocketchat.atlassian.net/browse/SB-1000
Steps to test or reproduce
Further comments
Summary by CodeRabbit