Releases
v2.72.3
Compare
Sorry, something went wrong.
No results found
2.72.3 (2026-07-06)
Bug Fixes
bump imapflow to 1.4.4 (dedupe nodemailer/iconv-lite) (5acc8cd )
bump imapflow/mailparser/mailsplit/email-ai-tools (collapse iconv-lite) (51dcffb )
bump libmime/mailparser/smtp-server/pubface (uniform nodemailer) (eee89bb )
constant-time MS Graph clientState check and escape unsubscribe email (3def225 )
escape Redis glob metacharacters in account-scoped SCAN patterns (603d9db )
escape untrusted email fields in message browser to prevent stored XSS (1159cc1 )
gate hosted auth form with a single-use nonce and probe cap, harden serviceSecret (7ea4ff7 )
harden hosted authentication form (SSRF gate, fail-closed HMAC, XSS) (4267df7 )
HTML-escape json Handlebars helper to prevent stored XSS in error logs (af2c153 )
override grunt's transitive js-yaml to 3.15.0 (GHSA-h67p-54hq-rp68 ) (024a923 )
stop logging the MS Graph access token on HTTP 401 (f2f0300 )
update dependencies (@postalsys/ee-client 1.3.2, nodemailer 9.0.3, bullmq 5.79.2, @sentry/node 10.63.0, @bull-board 8.0.2) (b954f67 )
update dependencies (email-text-tools 2.4.10, email-ai-tools 1.13.10) (73df05c )
use constant-time comparison for secret and MAC checks (453caf3 )
verify HMAC signature on the human-facing unsubscribe routes (e30be83 )
You can’t perform that action at this time.