Skip to content

v2.72.3

Latest

Choose a tag to compare

@github-actions github-actions released this 06 Jul 07:49
141a1eb

2.72.3 (2026-07-06)

Bug Fixes

  • bump imapflow to 1.4.4 (dedupe nodemailer/iconv-lite) (5acc8cd)
  • bump imapflow/mailparser/mailsplit/email-ai-tools (collapse iconv-lite) (51dcffb)
  • bump libmime/mailparser/smtp-server/pubface (uniform nodemailer) (eee89bb)
  • constant-time MS Graph clientState check and escape unsubscribe email (3def225)
  • escape Redis glob metacharacters in account-scoped SCAN patterns (603d9db)
  • escape untrusted email fields in message browser to prevent stored XSS (1159cc1)
  • gate hosted auth form with a single-use nonce and probe cap, harden serviceSecret (7ea4ff7)
  • harden hosted authentication form (SSRF gate, fail-closed HMAC, XSS) (4267df7)
  • HTML-escape json Handlebars helper to prevent stored XSS in error logs (af2c153)
  • override grunt's transitive js-yaml to 3.15.0 (GHSA-h67p-54hq-rp68) (024a923)
  • stop logging the MS Graph access token on HTTP 401 (f2f0300)
  • update dependencies (@postalsys/ee-client 1.3.2, nodemailer 9.0.3, bullmq 5.79.2, @sentry/node 10.63.0, @bull-board 8.0.2) (b954f67)
  • update dependencies (email-text-tools 2.4.10, email-ai-tools 1.13.10) (73df05c)
  • use constant-time comparison for secret and MAC checks (453caf3)
  • verify HMAC signature on the human-facing unsubscribe routes (e30be83)