fix: vulnerabilities by updating packages

[JivusAyrus]

Summary by CodeRabbit

• Chores
  • Updated nodemailer to v7.0.7 with TypeScript type support (v7.0.3).
  • Upgraded Next.js framework to v15.4.7 across project dependencies and build configurations.
  • Bumped Vite development build tool to v5.4.21.
  • All updates maintain backward compatibility with no impact to existing features or public APIs.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

Four package.json files updated with dependency version bumps: nodemailer and its type definitions in controlplane, Next.js in the root pnpm overrides and studio workspace, and Vite in playground. These are version-only changes with no code modifications.

Changes

Cohort / File(s)	Summary
Nodemailer packages controlplane/package.json	Updated nodemailer from ^6.9.11 to ^7.0.7 (major version) and @types/nodemailer from ^6.4.14 to ^7.0.3
Next.js framework package.json, studio/package.json	Bumped Next.js from 15.2.4 to 15.4.7 in root pnpm overrides and studio dependencies
Build tool playground/package.json	Updated Vite from ^5.4.19 to ^5.4.21 in devDependencies

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• The nodemailer major version bump (6.x → 7.x) warrants verification for breaking changes, compatibility, and any required code updates in controlplane
• Confirm Next.js 15.4.7 compatibility across dependencies in both root and studio packages
• Vite patch update is routine and low-risk

Possibly related PRs

• fix: prevent vulnerable peer dependencies #2195: Modifies pnpm.overrides in package.json for transitive dependency constraint management, similar dependency resolution pattern

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes in the PR - updating multiple package dependencies (nodemailer, Next.js, and Vite) to fix vulnerabilities across multiple package.json files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e917005 and 710aa01.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• controlplane/package.json (2 hunks)
• package.json (1 hunks)
• studio/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: build-router
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: image_scan
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./events)
• GitHub Check: Analyze (go)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

studio/package.json (1)

95-95: Next.js 15.4.7 fixes a real SSRF vulnerability, but newer versions (15.5+ and 16) are available—consider updating further.

The upgrade from 15.2.4 to 15.4.7 resolves CVE-2025-57822, a Server-Side Request Forgery (SSRF) vulnerability in Next.js middleware triggered when NextResponse.next() is called without explicitly passing the request object, potentially allowing unsafe header forwarding. This is a legitimate security fix.

However, 15.4.7 is not the latest stable release. Next.js 16 (released October 2025) is the current major version, and 15.5+ releases exist while 15.x is now in Maintenance LTS. Evaluate whether this update should target a later 15.5.x release or plan a migration to Next.js 16 to avoid technical debt.

controlplane/package.json (1)

80-80: Nodemailer 7.0.7 upgrade is justified—CVE-2025-13033 security fix; no breaking changes affect controlplane.

Verification confirms this upgrade is safe and beneficial:

1. Security advisory resolved: CVE-2025-13033 (improper handling of quoted local-parts containing @, leading to email misdelivery) is fixed in 7.0.7.

2. No breaking changes for controlplane: The primary breaking change in nodemailer 7.x affects only projects using AWS SES transport (requires @aws-sdk/client-sesv2). Controlplane uses basic SMTP transport (createTransport with smtpHost/smtpPort), which remains unchanged. Only createTransport() and sendMail() are called—both are stable APIs across versions.

3. Type definitions properly updated: @types/nodemailer ^7.0.3 aligns with the runtime upgrade.

No code changes are needed in controlplane to support nodemailer 7.0.7.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-2f58360757c74d6bdc35ef54d102d86942ea503d-nonroot

[StarpTech]

LGTM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@64bdd46). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2339   +/-   ##
=======================================
  Coverage        ?   32.56%           
=======================================
  Files           ?      336           
  Lines           ?    33629           
  Branches        ?      243           
=======================================
  Hits            ?    10950           
  Misses          ?    21683           
  Partials        ?      996           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.