Bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the /website3.0 directory:

Package	From	To
axios	1.7.4	1.16.0
mongoose	8.4.4	8.22.1
next	14.2.12	16.2.9
next-auth	4.24.7	4.24.14
nodemailer	6.9.14	8.0.9
postcss	8.4.39	8.5.10
brace-expansion	1.1.11	removed
jws	3.2.2	3.2.3
lodash	4.17.21	4.18.1
picomatch	2.3.1	removed

Updates axios from 1.7.4 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Commits

• df53d7d chore(release): prepare release 1.16.0 (#10834)
• 9d92bcd fix: gadgets and smaller issues (#10833)
• 5107ee6 fix: prevent undefined error codes in settle (#7276)
• e573499 fix(fetch): defer global access in fetch adapter (#7260)
• ad68e1a fix(http): honor timeout during connect without redirects (#10819)
• 2a51828 fix(http): decode URL basic auth credentials (#10825)
• 0e8b6bb fix(http): preserve user-supplied Host header when forwarding through a proxy...
• 79f39e1 docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...
• 0fe3a5f [Docs/Types] Update parseReviver TypeScript definitions for ES2023 and add ...
• cd6737f chore: matches the sibling responseStream.on(aborted) handler and added tests...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates mongoose from 8.4.4 to 8.22.1

Release notes

Sourced from mongoose's releases.

8.22.1 / 2025-02-04

• fix: handle other top-level query operators in sanitizeFilter
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

8.22.0 / 2026-01-27

• feat(model): allow passing strict option to hydrate() #15944 #15940

8.21.1

• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 AbdelrahmanHafez
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• fix: respect currentTime schema option in bulkWrite updates #15976 sderrow
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

8.21.0 / 2025-12-29

• feat(document): add support for getAtomics() to allow custom container types to utilize atomics #15817
• feat(document+model): pass options to pre('deleteOne') and update+options to pre('updateOne') hooks #15908 #15870
• fix: add support for typescript style enums #15914 #15913 mjfwebb

8.20.4 / 2025-12-18

• fix(model): ensure $isDeleted is set after calling doc.deleteOne() successfully #15898
• fix(document): use bitwise OR to accumulate version mode flags #15893 #15888 AbdelrahmanHafez

8.20.3 / 2025-12-15

• perf: use Object.hasOwn instead of Object#hasOwnProperty #15875 AbdelrahmanHafez
• fix: improve error when calling Document.prototype.init() with null/undefined #15812 Vegapunk-debug
• types(schema): avoid treating paths with default: null as required #15889
• types(schema): allow partial statics to schema.statics() #15780

8.20.2 / 2025-12-05

• fix(model): bump version if necessary after successful bulkSave() #15809 #15800
• fix(bulkWrite): pass overwriteImmutable option to castUpdate fixes #15789 #15782 #15781
• types(schema): allow calling schema.static() with as TStatics #15794 #15780

8.20.1 / 2025-11-20

• types: correct Model.schema type and fix unknown check for this param type in schema.methods #15750 #15693
• docs: add detailed loadClass() TypeScript usage guide #15731 #12813 Necro-Rohan
• docs: update version support documentation for Mongoose #15761 ManmathX
• docs: add copy-to-clipboard feature for code blocks in docs #15759 vedansha07

8.20.0 / 2025-11-17

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.22.1 / 2026-02-04

• fix: handle other top-level query operators in sanitizeFilter
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

7.8.9 / 2026-02-04

• fix: handle other top-level query operators in sanitizeFilter

8.22.0 / 2026-01-27

• feat(model): allow passing strict option to hydrate() #15944 #15940

8.21.1 / 2026-01-23

• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 AbdelrahmanHafez
• fix(document): when cloning a doc with subdocs, make sure the subdocs parent is the cloned doc #15904 #15901
• fix: respect currentTime schema option in bulkWrite updates #15976 sderrow
• types(models): support Mongoose query casting in AnyBulkWriteOperation filter property #15910
• types: add toBSON() to documents #15927

9.1.5 / 2026-01-20

• fix(map): validate map subdocument when loaded with init #15960 #15957 AbdelrahmanHafez
• fix(discriminator): prevent indexes and callQueue duplication with shared nested schemas #15974 #15966 AbdelrahmanHafez
• fix(subdocuments): do not pass parent path on init #15970 #15969 #15682 AbdelrahmanHafez
• types(inferrawdoctype): correct handling for subdocs and doc arrays #15967 #13772
• docs: improve grammar and clarity in TypeScript schema comments #15971 harshsinghpujari

9.1.4 / 2026-01-15

• fix: attach sessions to docs retrieved by cursor #15953 #15949 mjfwalsh
• fix(model): make hydrate() handle nested schema arrays #15964 #15956
• fix(clone): fix parent doc for map subdocuments and array subdocuments #15958 #15954 AbdelrahmanHafez
• fix: prevent crash when accessing nested paths on prototype #15962 #15961 som14062005

9.1.3 / 2026-01-09

• fix(model): support timestamps option to insertMany() as both boolean and QueryTimestampsConfig #15941 #15938
• fix(query): include preview of current and incoming update in error when merging normal update with pipeline #15939 #15928
• types(model): apply basic type casting to paths underneath subdocuments #15948 #15947
• types(utility): make WithLevel1NestedPaths correctly handle PopulatedDoc and other TypeScript unions with Document members #15942 #15923
• docs(schema): expose "DocumentArrayElement" #15590 hasezoey

9.1.2 / 2026-01-05

• fix(subdocs): pass options to pre-save hooks for subdocs #15921 #15920 AbdelrahmanHafez
• perf(model): select only _id when checking document existence during save() #15919 AbdelrahmanHafez

... (truncated)

Commits

• 472e7c7 chore: release 8.22.1
• 1735149 Merge branch '7.x' into 8.x
• 5227801 chore: release 7.8.9
• b804e34 fix: handle other top-level query operators in sanitizeFilter
• 8d9a81f chore: release 8.22.0
• f752854 Merge pull request #15985 from Automattic/8.22
• e7a57ed avoid hardcoding dbName
• 31adbb4 chore: release 8.21.1
• 62a5af7 test: bring test cases from #15958 into 8.x to ensure fixes are applied in 8.x
• bc8cb23 implement review suggestions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mongoose since your current version.

Updates next from 14.2.12 to 16.2.9

Release notes

Sourced from next's releases.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

... (truncated)

Commits

• f37fad9 v16.2.9
• d9aaaed [cd] Allow tagging semver-lower releases as @latest if @latest po… (#94627)
• 6f16804 v16.2.8
• 0dbc1d5 [16.2.x][cd] Ensure release can be triggered on old branches (#94598)
• 90e3c81 [16.2.x] Align Actions dependencies with Canary (#94339)
• 83f402c [16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)
• 411c455 v16.2.7
• c63224f [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolut...
• 63115c7 [16.2.x] Don't drop FormData entries (#94240)
• aef22fd [backport] Propagate adapter preferred regions (#94200)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next-auth from 4.24.7 to 4.24.14

Release notes

Sourced from next-auth's releases.

next-auth@4.24.14

Bugfixes

• providers: add issuer to GitHub provider for RFC 9207 compliance (#13412)

GitHub now returns an iss parameter in OAuth callbacks. openid-client validates it unconditionally, which was breaking authentication for apps that didn't configure an issuer. This sets the default GitHub provider issuer to https://github.com/login/oauth.

Commits

• e9a892a chore(release): bump version [skip ci]
• 0497da4 fix(providers): add issuer to github (#13412)
• 1a70ee8 chore(release): bump version [skip ci]
• edafd21 chore: bump version
• aafbfb9 chore: fix apps deps
• 1f48cf7 chore(release): bump version [skip ci]
• 4758a2f ci: add workflow_dispatch for release.yml
• d3aecfe feat: add next 16 support (#13303)
• 82efcf8 fix: security issue from nodemailer (#13304)
• 798c3d5 docs: update banner
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by better-gustavo, a new releaser for next-auth since your current version.

Updates next-auth from 4.24.7 to 4.24.14

Release notes

Sourced from next-auth's releases.

next-auth@4.24.14

Bugfixes

• providers: add issuer to GitHub provider for RFC 9207 compliance (#13412)

GitHub now returns an iss parameter in OAuth callbacks. openid-client validates it unconditionally, which was breaking authentication for apps that didn't configure an issuer. This sets the default GitHub provider issuer to https://github.com/login/oauth.

Commits

• e9a892a chore(release): bump version [skip ci]
• 0497da4 fix(providers): add issuer to github (#13412)
• 1a70ee8 chore(release): bump version [skip ci]
• edafd21 chore: bump version
• aafbfb9 chore: fix apps deps
• 1f48cf7 chore(release): bump version [skip ci]
• 4758a2f ci: add workflow_dispatch for release.yml
• d3aecfe feat: add next 16 support (#13303)
• 82efcf8 fix: security issue from nodemailer (#13304)
• 798c3d5 docs: update banner
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by better-gustavo, a new releaser for next-auth since your current version.

Updates nodemailer from 6.9.14 to 8.0.9

Release notes

Sourced from nodemailer's releases.

v8.0.9

8.0.9 (2026-05-26)

Bug Fixes

• two pending security advisories (jsonTransport access bypass, List-* CRLF injection) (#1820) (5f69497)

v8.0.8

8.0.8 (2026-05-23)

Bug Fixes

• enforce strict TLS for OAuth2 and Ethereal credential requests (#1818) (833d6e5)
• four listener/stream leaks in SMTP transport, connection, pool (#1817) (850bb91)

v8.0.7

8.0.7 (2026-04-27)

Bug Fixes

• keep domain as UTF-8 when local part is non-ASCII (#1814) (66d4ecb)

v8.0.6

8.0.6 (2026-04-24)

Bug Fixes

• restore base64 wrap() trim behavior to prevent trailing CRLF (#1810) (#1811) (b1ae6c1)

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

8.0.9 (2026-05-26)

Bug Fixes

• two pending security advisories (jsonTransport access bypass, List-* CRLF injection) (#1820) (5f69497)

8.0.8 (2026-05-23)

Bug Fixes

• enforce strict TLS for OAuth2 and Ethereal credential requests (#1818) (833d6e5)
• four listener/stream leaks in SMTP transport, connection, pool (#1817) (850bb91)

8.0.7 (2026-04-27)

Bug Fixes

• keep domain as UTF-8 when local part is non-ASCII (#1814) (66d4ecb)

8.0.6 (2026-04-24)

Bug Fixes

• restore base64 wrap() trim behavior to prevent trailing CRLF (#1810) (#1811) (b1ae6c1)

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)

... (truncated)

Commits

• 07303cb chore(master): release 8.0.9 (#1821)
• 5f69497 fix: two pending security advisories (jsonTransport access bypass, List-* CRL...
• 15138a8 chore(master): release 8.0.8 (#1819)
• 850bb91 fix: four listener/stream leaks in SMTP transport, connection, pool (#1817)
• 833d6e5 fix: enforce strict TLS for OAuth2 and Ethereal credential requests (Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
helpops-hub2	Error		Jun 15, 2026 11:59pm

[github-actions]

Thank you, dependabot[bot], for creating this pull request and contributing to HelpOps-Hub! 💗

The maintainers will review this Pull Request and provide feedback as soon as possible! 😇

• We appreciate your patience and contribution, Keep up the great work! 😀