chore(deps): bump the npm_and_yarn group across 3 directories with 15 updates

[dependabot]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
ajv	8.17.1	8.18.0
axios	1.12.2	1.13.5
undici	6.21.2	6.24.0
lodash	4.17.21	4.17.23
@sentry/node	10.19.0	10.27.0
fastify	4.28.1	5.8.3
nodemailer	7.0.13	8.0.4
dompurify	3.3.0	3.3.2
next	15.4.11	15.5.14
@hono/node-server	1.13.7	1.19.10
hono	4.10.6	4.12.7
handlebars	4.7.8	4.7.9

Bumps the npm_and_yarn group with 4 updates in the /controlplane directory: lodash, @sentry/node, fastify and nodemailer.
Bumps the npm_and_yarn group with 4 updates in the /studio directory: axios, lodash, dompurify and next.

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

• 142ce84 8.18.0
• 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
• 82735a1 fix: typos in schema-language.md (#2507)
• b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
• 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
• f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
• See full diff in compare view

Updates axios from 1.12.2 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates undici from 6.21.2 to 6.24.0

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v6.23.0

⚠️ Security Release

... (truncated)

Commits

• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• a444e4f test: stabilize h2 and tls-cert-leak under current test runner
• dc032a1 fix: h2 CI (#4395)
• 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
• 7df6442 fix: adapt websocket frame-limit handling for v6 parser
• 4e0179a fix: reject duplicate content-length and host headers
• 5a97f08 Fix websocket 64-bit length overflow
• e43e898 fix: validate upgrade header to prevent CRLF injection
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates @sentry/node from 10.19.0 to 10.27.0

Release notes

Sourced from @​sentry/node's releases.

10.27.0

Important Changes

• feat(deps): Bump OpenTelemetry (#18239)

  • Bump @​opentelemetry/context-async-hooks from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/core from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/resources from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-base from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-node from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/instrumentation from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-amqplib from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-aws-sdk from 0.59.0 to 0.64.0
  • Bump @​opentelemetry/instrumentation-connect from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-dataloader from 0.22.0 to 0.26.0
  • Bump @​opentelemetry/instrumentation-express from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-fs from 0.24.0 to 0.28.0
  • Bump @​opentelemetry/instrumentation-generic-pool from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-graphql from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-hapi from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-http from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-ioredis from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-kafkajs from 0.14.0 to 0.18.0
  • Bump @​opentelemetry/instrumentation-knex from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-koa from 0.52.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-lru-memoizer from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-mongodb from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-mongoose from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-mysql from 0.50.0 to 0.54.0
  • Bump @​opentelemetry/instrumentation-mysql2 from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-nestjs-core from 0.50.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-pg from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-redis from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-tedious from 0.23.0 to 0.27.0
  • Bump @​opentelemetry/instrumentation-undici from 0.15.0 to 0.19.0
  • Bump @​prisma/instrumentation from 6.15.0 to 6.19.0

• feat(browserprofiling): Add manual mode and deprecate old profiling (#18189)

  Adds the manual lifecycle mode for UI profiling (the default mode), allowing profiles to be captured manually with Sentry.uiProfiler.startProfiler() and Sentry.uiProfiler.stopProfiler(). The previous transaction-based profiling is with profilesSampleRate is now deprecated in favor of the new UI Profiling with profileSessionSampleRate.

Other Changes

• feat(core): Add gibibyte and pebibyte to InformationUnit type (#18241)
• feat(core): Add scope attribute APIs (#18165)
• feat(core): Re-add _experiments.enableLogs option (#18299)
• feat(core): Use maxValueLength on error messages (#18301)
• feat(deps): bump @​sentry/bundler-plugin-core from 4.3.0 to 4.6.1 (#18273)
• feat(deps): bump @​sentry/cli from 2.56.0 to 2.58.2 (#18271)
• feat(node): Add tracing support for AzureOpenAI (#18281)

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.27.0

Important Changes

• feat(deps): Bump OpenTelemetry (#18239)

  • Bump @​opentelemetry/context-async-hooks from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/core from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/resources from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-base from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-node from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/instrumentation from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-amqplib from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-aws-sdk from 0.59.0 to 0.64.0
  • Bump @​opentelemetry/instrumentation-connect from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-dataloader from 0.22.0 to 0.26.0
  • Bump @​opentelemetry/instrumentation-express from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-fs from 0.24.0 to 0.28.0
  • Bump @​opentelemetry/instrumentation-generic-pool from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-graphql from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-hapi from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-http from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-ioredis from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-kafkajs from 0.14.0 to 0.18.0
  • Bump @​opentelemetry/instrumentation-knex from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-koa from 0.52.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-lru-memoizer from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-mongodb from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-mongoose from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-mysql from 0.50.0 to 0.54.0
  • Bump @​opentelemetry/instrumentation-mysql2 from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-nestjs-core from 0.50.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-pg from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-redis from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-tedious from 0.23.0 to 0.27.0
  • Bump @​opentelemetry/instrumentation-undici from 0.15.0 to 0.19.0
  • Bump @​prisma/instrumentation from 6.15.0 to 6.19.0

• feat(browserprofiling): Add manual mode and deprecate old profiling (#18189)

  Adds the manual lifecycle mode for UI profiling (the default mode), allowing profiles to be captured manually with Sentry.uiProfiler.startProfiler() and Sentry.uiProfiler.stopProfiler(). The previous transaction-based profiling is with profilesSampleRate is now deprecated in favor of the new UI Profiling with profileSessionSampleRate.

Other Changes

• feat(core): Add gibibyte and pebibyte to InformationUnit type (#18241)
• feat(core): Add scope attribute APIs (#18165)
• feat(core): Re-add _experiments.enableLogs option (#18299)
• feat(core): Use maxValueLength on error messages (#18301)
• feat(deps): bump @​sentry/bundler-plugin-core from 4.3.0 to 4.6.1 (#18273)
• feat(deps): bump @​sentry/cli from 2.56.0 to 2.58.2 (#18271)

... (truncated)

Commits

• 0b0151d release: 10.27.0
• 930863e Merge pull request #18312 from getsentry/prepare-release/10.27.0
• 02aa2ea meta(changelog): Update changelog for 10.27.0
• 6ce620e fix(core): Always redact content of sensitive headers regardless of `sendDefa...
• 235c865 feat(core): Re-add _experiments.enableLogs option (#18299)
• 4b92c64 fix(nextjs): universal random tunnel path support (#18257)
• 6240191 feat(core): Use maxValueLength on error messages (#18301)
• 1525603 feat(browserprofiling): Add manual mode and deprecate old profiling (#18189)
• 3d48cc6 chore: Add external contributor to CHANGELOG.md (#18300)
• b8127fb doc(sveltekit): Update documentation link for SvelteKit guide (#18298)
• Additional commits viewable in compare view

Updates fastify from 4.28.1 to 5.8.3

Release notes

Sourced from fastify's releases.

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @​Tony133 to plugin team by @​Tony133 in fastify/fastify#6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @​kyrylchenko in fastify/fastify#6566
• test: use fastify.test in test case by @​climba03003 in fastify/fastify#6568
• docs: use fastify.example in documentation by @​climba03003 in fastify/fastify#6567
• docs: add common performance degradation guidance by @​maxpetrusenko in fastify/fastify#6520
• docs(server): fix camelCase anchor links in TOC by @​Deepvamja in fastify/fastify#6530
• ci(link-checker): fix root-relative links resolution by @​barba-rossa in fastify/fastify#6535
• docs: update syntax markdown, absolute paths and links by @​Tony133 in fastify/fastify#6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @​mcollina in fastify/fastify#6537
• docs: fix incorrect code examples in Reply and Request reference by @​mahmoodhamdi in fastify/fastify#6582
• docs: replace redirected npm.im http-errors link by @​mcollina in fastify/fastify#6588
• types: Allow port to be null in request type definition by @​TristanBarlow in fastify/fastify#6589
• docs: update links by @​Tony133 in fastify/fastify#6593
• ci(lock-threads): use shared lock-threads workflow by @​Fdawgs in fastify/fastify#6592

New Contributors

• @​kyrylchenko made their first contribution in fastify/fastify#6566
• @​maxpetrusenko made their first contribution in fastify/fastify#6520
• @​Deepvamja made their first contribution in fastify/fastify#6530
• @​barba-rossa made their first contribution in fastify/fastify#6535
• @​mahmoodhamdi made their first contribution in fastify/fastify#6582
• @​TristanBarlow made their first contribution in fastify/fastify#6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

What's Changed

• docs(ecosystem): add @​yeliex/fastify-problem-details by @​yeliex in fastify/fastify#6546
• Revert "chore: upgrade borp to v1.0.0" by @​climba03003 in fastify/fastify#6564
• docs: document body validation with custom content type parsers by @​mcollina in fastify/fastify#6556
• docs(ecosystem): add fastify-file-router by @​bhouston in fastify/fastify#6441
• docs: add fastify-svelte-view to Ecosystem list by @​matths in fastify/fastify#6453
• fix: anchor keyValuePairsReg to prevent quadratic backtracking by @​mcollina in fastify/fastify#6558
• docs: added note on handling of invalid URLs in setNotFoundHandler by @​leftieFriele in fastify/fastify#5661
• docs(guides): update codemod links by @​OluchiEzeifedikwa in fastify/fastify#6479
• docs: add @​glidemq/fastify to community plugins by @​avifenesh in fastify/fastify#6560

New Contributors

• @​yeliex made their first contribution in fastify/fastify#6546
• @​matths made their first contribution in fastify/fastify#6453
• @​leftieFriele made their first contribution in fastify/fastify#5661
• @​OluchiEzeifedikwa made their first contribution in fastify/fastify#6479
• @​avifenesh made their first contribution in fastify/fastify#6560

... (truncated)

Commits

• a3e77ce Bumped v5.8.3
• 4e1db5b fix: gate host and protocol getters on proxy trust function
• a22217f ci(lock-threads): use shared lock-threads workflow (#6592)
• 1851f20 docs: update links (#6593)
• 9cc5187 types: Allow port to be null in request type definition (#6589)
• 722d83b docs: replace redirected npm.im http-errors link (#6588)
• a1413de docs: fix incorrect code examples in Reply and Request reference (#6582)
• d7f01b6 docs: clarify content-type parser/schema mismatch is outside threat model (#6...
• a0649e9 docs: update syntax markdown, absolute paths and links (#6569)
• d477915 ci(link-checker): fix root-relative links resolution (#6535)
• Additional commits viewable in compare view

Updates nodemailer from 7.0.13 to 8.0.4

Release notes

Sourced from nodemailer's releases.

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

v8.0.3

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

v8.0.2

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

v8.0.1

8.0.1 (2026-02-07)

Bug Fixes

• absorb TLS errors during socket teardown (7f8dde4)
• absorb TLS errors during socket teardown (381f628)
• Add Gmail Workspace service configuration (#1787) (dc97ede)

v8.0.0

8.0.0 (2026-02-04)

⚠ BREAKING CHANGES

• Error code 'NoAuth' renamed to 'ENOAUTH'

Bug Fixes

• add connection fallback to alternative DNS addresses (e726d6f)
• centralize and standardize error codes (45062ce)
• harden DNS fallback against race conditions and cleanup issues (4fa3c63)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

8.0.1 (2026-02-07)

Bug Fixes

• absorb TLS errors during socket teardown (7f8dde4)
• absorb TLS errors during socket teardown (381f628)
• Add Gmail Workspace service configuration (#1787) (dc97ede)

8.0.0 (2026-02-04)

⚠ BREAKING CHANGES

• Error code 'NoAuth' renamed to 'ENOAUTH'

Bug Fixes

• add connection fallback to alternative DNS addresses (e726d6f)
• centralize and standardize error codes (45062ce)
• harden DNS fallback against race conditions and cleanup issues (4fa3c63)
• improve socket cleanup to prevent potential memory leaks (6069fdc)

Commits

• 2d31975 chore(master): release 8.0.4 (#1806)
• 2d7b971 fix: sanitize envelope size to prevent SMTP command injection
• 4e702e9 chore(master): release 8.0.3 (#1804)
• c803d90 fix: remove familySupportCache that broke DNS resolution tests
• e8c8b92 fix: fix cookie bugs, remove dead code, and improve hot-path efficiency
• 0e78ee1 chore: update dependencies
• af73b4c chore: upgrade GitHub Actions to latest versions
• 604b570 chore: simplify remaining lib modules for clarity and consistency
• 4ced83d chore: simplify shared, errors, mailer, mime-node, and mime-funcs modules
• 0cba16e chore: simplify smtp-pool with const, Object.assign, and cleaner control flow
• Additional commits viewable in compare view

Updates dompurify from 3.3.0 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

Commits

• 5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
• e8c95f4 fix: Fixed the broken package-lock.json
• 9636037 Update package-lock.json
• 5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
• 6fc446a Merge pull request #1175 from cure53/main
• 3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
• 9863f41 chore: Preparing 3.3.1 release
• b4e0295 chore: Preparing 3.3.0 release
• 077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
• 4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
• Additional commits viewable in compare view

Updates next from 15.4.11 to 15.5.14

Release notes

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixe...

Description has been truncated

[dependabot]

Superseded by #10.