chore: upgrade nodemailer to ^8.0.11 to address GHSA-268h-hp4c-crq3

[brendan-kellam]

Fixes SOU-1352

Refreshes the lockfile so nodemailer resolves to 8.0.11, patching the CRLF injection in List-* header comments (GHSA-268h-hp4c-crq3). The existing ^8.0.5 range in packages/web/package.json already admits the patched version, so this is a lockfile-only change (yarn up -R nodemailer).

Summary by CodeRabbit

• Bug Fixes
  • Updated nodemailer to version ^8.0.11

[coderabbitai]

Warning

Review limit reached

@brendan-kellam, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 4 minutes and 36 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 86f4cbe4-76cb-4003-8585-c0d31b3b3651

📥 Commits

Reviewing files that changed from the base of the PR and between fee2191 and cd7a39e.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• CHANGELOG.md

Walkthrough

A single line is added to CHANGELOG.md under ## [Unreleased] → ### Fixed, recording the nodemailer dependency upgrade to ^8.0.11 and referencing PR #1328.

Changes

Changelog entry for nodemailer upgrade

Layer / File(s)	Summary
Unreleased changelog entry CHANGELOG.md	Adds a bullet under ### Fixed noting the nodemailer upgrade to ^8.0.11 with PR reference.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Possibly related PRs

• sourcebot-dev/sourcebot#1121: Introduced the original nodemailer v8 upgrade and the corresponding changelog remediation text that this PR updates with the finalized version ^8.0.11.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch linear/sou-1352-sourcebot-devsourcebot-ghsa-268h-hp4c-crq3-nodemailer-f111

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2139
Resolved (non-standard)	20
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.11	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (20)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	LICENSE file in package (MIT License text)
@react-grab/cli	0.1.29	UNKNOWN	MIT	LICENSE file in package (MIT License text)
@react-grab/mcp	0.1.29	UNKNOWN	MIT	LICENSE file in package (MIT License text)
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Self-identifying license string: Functional Source License 1.1 with MIT future grant (Fair Source / source-available, not OSI-approved, converts to MIT after 2 years; not copyleft)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	LICENSE file in package (Apache License 2.0 text); repo github.com/livebook-dev/codemirror-lang-elixir
element-source	0.0.3	UNKNOWN	MIT	LICENSE file in package (MIT License text)
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	LICENSE file in package (Apache License 2.0 text); repo github.com/livebook-dev/lezer-elixir
map-stream	0.1.0	UNKNOWN	MIT	LICENCE file in package (MIT License text)
memorystream	0.3.1	UNKNOWN	MIT	Extracted from license object type field + LICENSE file (MIT License text)
pause-stream	0.0.11	["MIT","Apache2"]	(MIT OR Apache-2.0)	Extracted from license array ["MIT","Apache2"] + LICENSE file (Dual Licensed MIT and Apache 2)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	LICENSE file in package (Apache License 2.0 text); repo github.com/PostHog/posthog-js
valid-url	1.0.9	UNKNOWN	MIT	LICENSE file in package (MIT License text)