chore(deps): bump undici to 7.28.0 and nodemailer to 9.0.1

[waleedlatif1]

Summary

• Bump undici 7.25.0 → 7.28.0 to resolve 7 Dependabot alerts (3 High, 2 Moderate, 2 Low): WebSocket fragment-count DoS, SOCKS5 cross-origin routing, SOCKS5 ProxyAgent TLS bypass, shared-cache whitespace disclosure, Set-Cookie percent-decoding header injection, SameSite downgrade, keep-alive response queue poisoning.
• Bump nodemailer 8.0.9 → 9.0.1 to resolve 1 High alert: message-level raw option bypassing disableFileAccess/disableUrlAccess (arbitrary file read + SSRF).
• Bump @types/nodemailer 7.0.4 → 8.0.1 to match the runtime major.

Notes

• nodemailer 9's only breaking change is default TLS validation when fetching remote content (attachment URLs, OAuth2 endpoints, proxy CONNECT). Our SMTP and SES providers send attachments as in-memory buffers and use standard auth — no remote fetching — so no code changes are required.

Type of Change

• Security fix (dependency bump)

Testing

• bunx tsc --noEmit clean (0 errors)
• bun run lint clean
• Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 26, 2026 12:32am

[cursor]

PR Summary

Low Risk
Changes are version pins and lockfile only; risk is limited to transitive HTTP/email client behavior, with no direct code edits in this PR.

Overview
Security-focused dependency bumps in apps/sim with lockfile refresh only—no application code changes.

undici moves from 7.25.0 to 7.28.0 to address multiple Dependabot alerts (WebSocket DoS, SOCKS5 routing/TLS issues, cookie/header handling, keep-alive poisoning). The app uses undici for guarded outbound fetch in input-validation.server.ts.

nodemailer moves from 8.0.9 to 9.0.1 to fix a high-severity issue where a message-level raw option could bypass file/URL access restrictions. @types/nodemailer is aligned to 8.0.1 (types no longer pull @aws-sdk/client-sesv2 as a dependency). SMTP and SES flows use in-memory attachments and standard transport auth rather than nodemailer’s remote URL fetching, so the nodemailer 9 TLS default for remote content is unlikely to affect current usage.

^{Reviewed by Cursor Bugbot for commit cde2e81. Configure here.}

[greptile-apps]

Greptile Summary

This PR updates mail and HTTP client dependencies for security fixes.

• Bumps undici from 7.25.0 to 7.28.0.
• Bumps nodemailer from 8.0.9 to 9.0.1.
• Updates @types/nodemailer from 7.0.4 to 8.0.1.
• Refreshes bun.lock so transitive Undici users resolve to the updated version.

Confidence Score: 5/5

This looks safe to merge.

• No blocking issues found in the changed code.

Important Files Changed

Filename	Overview
apps/sim/package.json	Updates the direct undici, nodemailer, and @types/nodemailer dependency versions.
bun.lock	Updates locked dependency resolutions and removes the stale transitive Undici 7.25.0 entries.

_{Reviews (2): Last reviewed commit: "chore(deps): dedupe cheerio and e2b tran..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit cde2e81. Configure here.}