build(deps): bump mailparser from 3.7.5 to 3.9.3

[dependabot]

Bumps mailparser from 3.7.5 to 3.9.3.

Release notes

Sourced from mailparser's releases.

mailparser: v3.8.1

3.8.1 (2025-11-05)

Bug Fixes

• trigger new build (7f2eb78)

mailparser: v3.8.0

3.8.0 (2025-11-04)

Bug Fixes

• deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)

Changelog

Sourced from mailparser's changelog.

3.9.3 (2026-01-28)

Bug Fixes

• escape URLs and link text in textToHtml to prevent XSS (921a67d), closes #412

3.9.2 (2026-01-28)

Bug Fixes

• Bumpe deps (508bcf7)

3.9.1 (2025-12-11)

Bug Fixes

• update dependencies (6879d1b)

3.9.0 (2025-11-05)

Features

• events: Emit a new headerLines event to gain access the raw headers (#364) (d33d7ec)

Bug Fixes

• ⬆️ update nodemailer dependency to resolve security issue GHSA-9h6g-pr28-7cqp (#357) (8bc4225)
• 150 (919f69a)
• 272: Throw TypeError for invalid input. (abd7e43)
• 34, bump version (09aa0bd)
• bumped deps (9a13f4e)
• Bumped deps (bb9c014)
• Bumped deps (9e084f9)
• Bumped mailsplit to fix flowed parser (da753e4)
• capture decoder end event to use on cleanup (4e367f7)
• deploy: added auto-deployment (d6eb56f)
• deps: Bumped deps (db842ad)
• deps: Bumped deps to fix issue with missing whitespace (92884d0)
• deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)
• deps: Replaced 'punycode' with 'punycode.js' module (4a15157)
• error on ks_c_5601-1987 (89572e0)
• Fix produced text address list string according to rfc 2822 (#340) (6bae600)
• handle simpleParser input stream error (faf9fc5)
• punycode: Fixes #355 Deprecation warning of the punycode module (#356) (0f35330)
• simple-parser: Buffer.from(string) default encode is utf-8,when input string‘s encode is gbk,result has some garbled (633e436)

... (truncated)

Commits

• 05db224 chore(master): release 3.9.3 [skip-ci]
• 921a67d fix: escape URLs and link text in textToHtml to prevent XSS
• bb325f1 chore(master): release 3.9.2 [skip-ci]
• 508bcf7 fix: Bumpe deps
• 0e71fed docs: add maintenance mode notice to README
• 2205e48 chore(master): release 3.9.1 [skip-ci]
• 6879d1b fix: update dependencies
• 3e1e029 chore(master): release 3.9.0 [skip-ci]
• b831000 Merge branch 'master' of github.com:nodemailer/mailparser
• 3cf6241 fix: trigger new build
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for mailparser since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade mailparser from 3.7.5 to 3.9.3 to pull in security fixes and recent bug fixes. This includes escaping URLs/link text in textToHtml to prevent XSS.

• Dependencies
  • mailparser 3.9.3
  • Transitive updates: nodemailer 7.0.13, iconv-lite 0.7.2, tlds 1.261.0, switch to @zone-eu/mailsplit 5.4.8
  • Lockfiles updated only; no app code changes expected

^{Written for commit f86ea81. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ever-traduora-docs	Error		Mar 4, 2026 9:34pm

[greptile-apps]

No reviewable files after applying ignore patterns.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	class-validator@​0.13.1
	typeorm@​0.2.37
	webpack@​5.50.0 ⏵ 5.52.1	+5		+1	-2
	@​types/​moment@​2.13.0
	@​types/​handlebars@​4.1.0
	@​types/​csv-stringify@​3.1.0
	supertest@​6.2.2
	@​types/​iconv-lite@​0.0.1
	querystring@​0.2.0 ⏵ 0.2.1			+1
	axios@​0.21.4
	jest@​27.2.0
	@​types/​supertest@​2.0.11
	semver-regex@​4.0.3
	@​types/​js-yaml@​4.0.3
	@​types/​bcrypt@​5.0.0
	nodemailer@​6.6.3
	@​types/​express@​4.17.13
	@​types/​morgan@​1.9.3
	node-native2ascii@​0.2.0
	copyfiles@​2.4.1
	xml-js@​1.6.11
	strings-file@​0.0.5
	properties@​1.2.1
	php-array-parser@​1.0.1
	@​types/​nodemailer@​6.4.4
	@​types/​jest@​26.0.24
	@​types/​express-serve-static-core@​4.17.24
	moment@​2.29.2
	preview-email@​3.0.5
	xliff@​5.6.2
	passport-jwt@​4.0.0
	generate-password@​1.6.1
	webpack-node-externals@​1.7.2
	passport@​0.4.1
See 27 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: SQL Injection and Cross-site Scripting in npm class-validator CVE: GHSA-fj58-h2fr-3pp2 SQL Injection and Cross-site Scripting in class-validator (CRITICAL) Affected versions: < 0.14.0 Patched version: 0.14.0 From: api/package.json → npm/class-validator@0.13.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/class-validator@0.13.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 3.0.4 From: ? → npm/jest@27.2.0 → npm/form-data@3.0.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@3.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: ? → npm/supertest@6.2.2 → npm/form-data@4.0.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: SQL injection in typeORM CVE: GHSA-fx4w-v43j-vc45 SQL injection in typeORM (CRITICAL) Affected versions: < 0.3.0 Patched version: 0.3.0 From: api/package.json → npm/typeorm@0.2.37 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typeorm@0.2.37. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cubic-dev-ai]

No issues found across 2 files

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud