Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#109

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-0f6fac21e4
Closed

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#109
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-0f6fac21e4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 3 updates in the / directory: nodemailer, dompurify and markdown-it.

Updates nodemailer from 8.0.10 to 9.0.1

Release notes

Sourced from nodemailer's releases.

v9.0.1

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

v9.0.0

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

v8.0.11

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)
Changelog

Sourced from nodemailer's changelog.

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)
Commits
  • 69cf625 chore(master): release 9.0.1 (#1828)
  • a82e060 fix: enforce disableFileAccess/disableUrlAccess for raw message option
  • 4e58450 chore: update dev dependencies
  • 541f5fd chore(master): release 9.0.0 (#1827)
  • 0c080fb fix: replace deprecated url.parse with a WHATWG URL wrapper
  • 6a947ac fix!: validate TLS certificates by default when fetching remote content
  • e3b1bda chore(master): release 8.0.11 (#1826)
  • 4358caf refactor: remove dead checks flagged by Code Quality analysis
  • cf5195c chore: harden workflow token permissions and update GitHub Actions
  • 067aebe fix: parse Ethereal response props without polynomial regex backtracking
  • Additional commits viewable in compare view

Updates dompurify from 3.4.2 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

DOMPurify 3.4.5

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

... (truncated)

Commits

Updates markdown-it from 14.1.1 to 14.2.0

Changelog

Sourced from markdown-it's changelog.

[14.2.0] - 2026-05-24

Added

  • isPunctCharCode to utilities.

Fixed

  • Don't end HTML comment blocks on a blank line, #1155.
  • Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
  • Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
  • More strict entities decode to avoid false positives ;, #1096.
  • Restore block parser state on fail in lheading rule, #1131.

Security

  • Fixed poor smartquotes perfomance on > 70k quotes in single block
  • Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 1 directory with 3 up…
8d77f0a 
…dates

Bumps the npm_and_yarn group with 3 updates in the / directory: [nodemailer](https://github.com/nodemailer/nodemailer), [dompurify](https://github.com/cure53/DOMPurify) and [markdown-it](https://github.com/markdown-it/markdown-it).


Updates `nodemailer` from 8.0.10 to 9.0.1
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v8.0.10...v9.0.1)

Updates `dompurify` from 3.4.2 to 3.4.11
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.2...3.4.11)

Updates `markdown-it` from 14.1.1 to 14.2.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@14.1.1...14.2.0)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 9.0.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: markdown-it
  dependency-version: 14.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are no longer updatable, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 19, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-0f6fac21e4 branch June 19, 2026 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants