Skip to content

chore(deps): apply safe updates and upgrade mjml to v5#7

Merged
chriskehayias merged 1 commit intomainfrom
chore/dep-audit-safe-updates-mjml5
Apr 18, 2026
Merged

chore(deps): apply safe updates and upgrade mjml to v5#7
chriskehayias merged 1 commit intomainfrom
chore/dep-audit-safe-updates-mjml5

Conversation

@chriskehayias
Copy link
Copy Markdown
Contributor

@chriskehayias chriskehayias commented Apr 18, 2026

Dependency audit (2026-04-17) — reduces npm audit from 33 → 2 vulns (1 critical, 31 high closed). Only remaining items are xmldom via docxtemplater-image-module-free (no upstream fix).

Safe updates (patch/minor, non-breaking):

  • next 16.2.3 → 16.2.4
  • eslint-config-next 16.2.3 → 16.2.4
  • better-auth 1.6.2 → 1.6.5
  • @react-pdf/renderer 4.4.1 → 4.5.1
  • autoprefixer 10.4.27 → 10.5.0
  • docxtemplater 3.68.4 → 3.68.5
  • postcss 8.5.9 → 8.5.10
  • typescript 6.0.2 → 6.0.3

Major upgrade:

  • mjml 4.18.0 → 5.0.1 (closes 31 high-severity advisories from html-minifier REDoS and mj-include directory traversal). MJML 5 replaces html-minifier with htmlnano. Zero code changes required — the mjml2html signature used by compileMjml() is unchanged, and we already pass minify:false. Client-side editor is unaffected because grapesjs-mjml@1.0.8 pulls mjml-browser@4 as a separate package.

Held for later:

  • eslint 9 → 10 (blocked on eslint-config-next 17)
  • jsdom 28 → 29 (no security driver)

Verification:

  • npm run build: ok (5s compile, 4s typecheck, Next 16.2.4)
  • npm run test:run: 507/507 passing
  • npm run lint: unchanged (95 pre-existing no-explicit-any in tests)

End-to-end template-editor compile flow still needs manual smoke test.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

@chriskehayias @claude
chore(deps): apply safe updates and upgrade mjml to v5
42e5005 
Dependency audit (2026-04-17) — reduces npm audit from 33 → 2 vulns
(1 critical, 31 high closed). Only remaining items are xmldom via
docxtemplater-image-module-free (no upstream fix).

Safe updates (patch/minor, non-breaking):
- next 16.2.3 → 16.2.4
- eslint-config-next 16.2.3 → 16.2.4
- better-auth 1.6.2 → 1.6.5
- @react-pdf/renderer 4.4.1 → 4.5.1
- autoprefixer 10.4.27 → 10.5.0
- docxtemplater 3.68.4 → 3.68.5
- postcss 8.5.9 → 8.5.10
- typescript 6.0.2 → 6.0.3

Major upgrade:
- mjml 4.18.0 → 5.0.1 (closes 31 high-severity advisories from
  html-minifier REDoS and mj-include directory traversal). MJML 5
  replaces html-minifier with htmlnano. Zero code changes required —
  the mjml2html signature used by compileMjml() is unchanged, and we
  already pass minify:false. Client-side editor is unaffected because
  grapesjs-mjml@1.0.8 pulls mjml-browser@4 as a separate package.

Held for later:
- eslint 9 → 10 (blocked on eslint-config-next 17)
- jsdom 28 → 29 (no security driver)

Verification:
- npm run build: ok (5s compile, 4s typecheck, Next 16.2.4)
- npm run test:run: 507/507 passing
- npm run lint: unchanged (95 pre-existing no-explicit-any in tests)

End-to-end template-editor compile flow still needs manual smoke test.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@chriskehayias chriskehayias merged commit 2a641c9 into main Apr 18, 2026
1 check passed
@chriskehayias chriskehayias deleted the chore/dep-audit-safe-updates-mjml5 branch April 18, 2026 10:15
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 18, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chriskehayias