Skip to content

fix: vulnerabilities by updating packages#2339

Merged
JivusAyrus merged 8 commits intomainfrom
suvij/eng-8383-remediate-medium-vulnerabilities-github-repo
Nov 26, 2025
Merged

fix: vulnerabilities by updating packages#2339
JivusAyrus merged 8 commits intomainfrom
suvij/eng-8383-remediate-medium-vulnerabilities-github-repo

Conversation

@JivusAyrus
Copy link
Copy Markdown
Member

@JivusAyrus JivusAyrus commented Nov 18, 2025
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • Chores
    • Updated nodemailer to v7.0.7 with TypeScript type support (v7.0.3).
    • Upgraded Next.js framework to v15.4.7 across project dependencies and build configurations.
    • Bumped Vite development build tool to v5.4.21.
    • All updates maintain backward compatibility with no impact to existing features or public APIs.

✏️ Tip: You can customize this high-level summary in your review settings.

Checklist

@JivusAyrus JivusAyrus requested a review from Noroth November 18, 2025 12:52
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Nov 18, 2025
edited
Loading

Walkthrough

Four package.json files updated with dependency version bumps: nodemailer and its type definitions in controlplane, Next.js in the root pnpm overrides and studio workspace, and Vite in playground. These are version-only changes with no code modifications.

Changes

Cohort / File(s) Summary
Nodemailer packages
controlplane/package.json		 Updated nodemailer from ^6.9.11 to ^7.0.7 (major version) and @types/nodemailer from ^6.4.14 to ^7.0.3
Next.js framework
package.json, studio/package.json		 Bumped Next.js from 15.2.4 to 15.4.7 in root pnpm overrides and studio dependencies
Build tool
playground/package.json		 Updated Vite from ^5.4.19 to ^5.4.21 in devDependencies

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • The nodemailer major version bump (6.x → 7.x) warrants verification for breaking changes, compatibility, and any required code updates in controlplane
  • Confirm Next.js 15.4.7 compatibility across dependencies in both root and studio packages
  • Vite patch update is routine and low-risk

Possibly related PRs

Pre-merge checks

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main changes in the PR - updating multiple package dependencies (nodemailer, Next.js, and Vite) to fix vulnerabilities across multiple package.json files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e917005 and 710aa01.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • controlplane/package.json (2 hunks)
  • package.json (1 hunks)
  • studio/package.json (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)
  • GitHub Check: build-router
  • GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
  • GitHub Check: build_test
  • GitHub Check: build_push_image
  • GitHub Check: image_scan
  • GitHub Check: image_scan (nonroot)
  • GitHub Check: build_push_image (nonroot)
  • GitHub Check: integration_test (./telemetry)
  • GitHub Check: integration_test (./events)
  • GitHub Check: Analyze (go)
  • GitHub Check: build_test
  • GitHub Check: build_test
  • GitHub Check: build_push_image
  • GitHub Check: build_test
  • GitHub Check: build_push_image
  • GitHub Check: build_test
  • GitHub Check: Analyze (javascript-typescript)
🔇 Additional comments (2)
studio/package.json (1)

95-95: Next.js 15.4.7 fixes a real SSRF vulnerability, but newer versions (15.5+ and 16) are available—consider updating further.

The upgrade from 15.2.4 to 15.4.7 resolves CVE-2025-57822, a Server-Side Request Forgery (SSRF) vulnerability in Next.js middleware triggered when NextResponse.next() is called without explicitly passing the request object, potentially allowing unsafe header forwarding. This is a legitimate security fix.

However, 15.4.7 is not the latest stable release. Next.js 16 (released October 2025) is the current major version, and 15.5+ releases exist while 15.x is now in Maintenance LTS. Evaluate whether this update should target a later 15.5.x release or plan a migration to Next.js 16 to avoid technical debt.

controlplane/package.json (1)

80-80: Nodemailer 7.0.7 upgrade is justified—CVE-2025-13033 security fix; no breaking changes affect controlplane.

Verification confirms this upgrade is safe and beneficial:

  1. Security advisory resolved: CVE-2025-13033 (improper handling of quoted local-parts containing @, leading to email misdelivery) is fixed in 7.0.7.

  2. No breaking changes for controlplane: The primary breaking change in nodemailer 7.x affects only projects using AWS SES transport (requires @aws-sdk/client-sesv2). Controlplane uses basic SMTP transport (createTransport with smtpHost/smtpPort), which remains unchanged. Only createTransport() and sendMail() are called—both are stable APIs across versions.

  3. Type definitions properly updated: @types/nodemailer ^7.0.3 aligns with the runtime upgrade.

No code changes are needed in controlplane to support nodemailer 7.0.7.

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 18, 2025
edited
Loading

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-2f58360757c74d6bdc35ef54d102d86942ea503d-nonroot

StarpTech
StarpTech approved these changes Nov 26, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@StarpTech StarpTech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codecov
Copy link
Copy Markdown

codecov Bot commented Nov 26, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@64bdd46). Learn more about missing BASE report.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2339   +/-   ##
=======================================
  Coverage        ?   32.56%           
=======================================
  Files           ?      336           
  Lines           ?    33629           
  Branches        ?      243           
=======================================
  Hits            ?    10950           
  Misses          ?    21683           
  Partials        ?      996

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JivusAyrus JivusAyrus merged commit ef16299 into main Nov 26, 2025
49 checks passed
@JivusAyrus JivusAyrus deleted the suvij/eng-8383-remediate-medium-vulnerabilities-github-repo branch November 26, 2025 16:56
This was referenced Dec 3, 2025
Merged
Closed
@coderabbitai coderabbitai Bot mentioned this pull request Mar 13, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StarpTech StarpTech StarpTech approved these changes

@SkArchon SkArchon SkArchon approved these changes

@wilsonrivera wilsonrivera Awaiting requested review from wilsonrivera wilsonrivera is a code owner

@thisisnithin thisisnithin Awaiting requested review from thisisnithin thisisnithin is a code owner

@Noroth Noroth Awaiting requested review from Noroth Noroth is a code owner automatically assigned from wundergraph/router

@devsergiy devsergiy Awaiting requested review from devsergiy devsergiy is a code owner

@jensneuse jensneuse Awaiting requested review from jensneuse jensneuse is a code owner

@endigma endigma Awaiting requested review from endigma endigma is a code owner

Assignees

No one assigned

Labels

controlplane monorepo router studio

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JivusAyrus @StarpTech @SkArchon