chore: upgrade nodemailer to ^8.0.9 to address GHSA-r7g4-qg5f-qqm2

[brendan-kellam]

Fixes SOU-1354

Upgrades nodemailer from 8.0.5 to ^8.0.9 (resolves to 8.0.11) to address GHSA-r7g4-qg5f-qqm2, where Nodemailer's internal HTTPS fetch client disabled TLS certificate verification (rejectUnauthorized: false) for OAuth2 token requests. This release also covers the other open Nodemailer advisories.

nodemailer is a direct dependency of @sourcebot/web, so this is a top-level bump.

Summary by CodeRabbit

• Chores
  • Updated email service dependency to the latest patch version for improved reliability.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 29eadacc-a01c-47fd-b1ad-f6210d960be7

📥 Commits

Reviewing files that changed from the base of the PR and between e626691 and ee67f96.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• packages/web/package.json

---

Walkthrough

nodemailer is bumped from ^8.0.5 to ^8.0.9 in packages/web/package.json, and a corresponding entry is added to the [Unreleased] → Fixed section of CHANGELOG.md.

Changes

nodemailer dependency update

Layer / File(s)	Summary
nodemailer version bump and changelog entry packages/web/package.json, CHANGELOG.md	nodemailer updated from ^8.0.5 to ^8.0.9 in the web package dependencies; changelog records this as a fix under [Unreleased].

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#1121: Previously bumped nodemailer to ^8.0.5 in packages/web/package.json; this PR continues that upgrade line to ^8.0.9.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch linear/sou-1354-sourcebot-devsourcebot-ghsa-r7g4-qg5f-qqm2-nodemailer-05c3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2136
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	LICENSE file in published package (node_modules)
@react-grab/cli	0.1.29	UNKNOWN	MIT	LICENSE file in published package (node_modules)
@react-grab/mcp	0.1.29	UNKNOWN	MIT	LICENSE file in published package (node_modules)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	LICENSE file in published package (node_modules) / GitHub repo livebook-dev/codemirror-lang-elixir
element-source	0.0.3	UNKNOWN	MIT	LICENSE file in published package (node_modules)
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	LICENSE file in published package (node_modules) / GitHub repo livebook-dev/lezer-elixir
map-stream	0.1.0	UNKNOWN	MIT	LICENCE file in published package (node_modules)
memorystream	0.3.1	UNKNOWN	MIT	extracted from package.json licenses object {type:"MIT"}; confirmed by LICENSE file
pause-stream	0.0.11	MIT,Apache2	MIT OR Apache-2.0	extracted from license array in object; confirmed by LICENSE file (dual MIT/Apache-2.0)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	LICENSE file in published package (node_modules) / GitHub repo PostHog/posthog-js
valid-url	1.0.9	UNKNOWN	MIT	LICENSE file in published package (node_modules)