feat(newsletter): migrate from sendgrid to resend

[HugoRCD]

I have already added the environment variables on Vercel and all contacts to the newsletter audience.

Confirmation mail:

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nuxt	Ready	Preview, Comment	Feb 12, 2026 5:25pm

[coderabbitai]

Warning

Rate limit exceeded

@atinux has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 34 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

This pull request migrates the application's email service from SendGrid to Resend. The changes involve replacing SendGrid-related environment variables in the configuration, updating the Nuxt runtime config to use Resend credentials instead, adding the Resend package dependency, and rewriting the newsletter subscription and confirmation API endpoints to use Resend's contact management and email APIs. The SendGrid utility functions and type definitions are removed entirely, and all SendGrid configuration references are replaced with Resend equivalents throughout the codebase.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: migrating the newsletter system from SendGrid to Resend.
Description check	✅ Passed	The description is related to the changeset, noting environment variable setup, contact migration, and including a screenshot of the confirmation email flow.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/resend-newsletter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 63: The package.json currently references a non-existent npm version
"resend": "^6.9.2"; update the dependency entry for the "resend" package to the
correct available version "^6.9.1" so npm installs succeed—locate the "resend"
dependency line in package.json and change the version string to "^6.9.1".

In `@server/api/newsletter/confirm.post.ts`:
- Around line 32-37: The current error handling in confirm.post.ts always throws
createError({ statusCode: 400, ... }) which misclassifies upstream Resend SDK
failures; update the error mapping in the block that inspects the caught error
(the same error variable) to check for Resend/HTTP status information (e.g.,
error.status, error.statusCode, or error.response?.status) and set the
createError statusCode accordingly — preserve 4xx client errors as-is
(400/401/429/etc.), map upstream 5xx or network failures to 502 (or 500) and
include the original error message/details in the log/message; keep using
createError so the function and error variable names remain unchanged.

In `@server/api/newsletter/subscribe.post.ts`:
- Line 20: The confirmation URL currently builds from the untrusted Origin
header (getHeader(event, 'origin')) which allows phishing; change the logic that
computes confirmationURL to use a trusted site base from runtime config or an
exposed env var (e.g., runtimeConfig.public.siteUrl or NUXT_PUBLIC_SITE_URL)
instead of getHeader(event, 'origin'), keep the existing withTrailingSlash and
withQuery calls (confirmation, email) but source the base URL from the trusted
config value and fall back to a hardcoded safe URL only if that config is
missing.

In `@server/utils/email-templates.ts`:
- Line 34: The confirmationURL is interpolated raw into the email template (see
confirmationURL in server/utils/email-templates.ts) which can allow injected
quotes or angle-brackets to break attributes or inject HTML; fix by
HTML-escaping the value before interpolation: add or reuse a small escapeHtml
function (replacing & < > " ' / with their entities) and use
escapeHtml(confirmationURL) for the anchor text and an attribute-safe escape
(same escapeHtml) for the href value; update the template key locations where
confirmationURL is used (the anchor href and inner text) to use the escaped
value so both attribute and text contexts are safe.