mirror of
https://github.com/twentyhq/twenty.git
synced 2026-06-12 01:46:39 -04:00
fc764115ef
## What Clears **all 9 High `next` Dependabot alerts** (incl. GHSA-26hh-7cqf-hhc6) in twenty-emails — via a parent bump, no resolutions. All 9 traced to a stale **`next@16.0.10`** pulled by `@react-email/preview-server` 5.x. The latest preview-server 5.x still ships a vulnerable next (16.1.7 < 16.2.6), so bumping it alone wouldn't help. **react-email 6.x** is a rewrite that no longer depends on next or on a separate preview-server. - bump `react-email` `5.1.0` → `6.5.0` - remove the obsolete `@react-email/preview-server` devDependency - add `@react-email/ui` `6.5.0` devDependency ### Why `@react-email/ui` (the CI fix) react-email 6's `email dev` preview server loads its UI from `@react-email/ui`, and **prompts to install it interactively** if missing — which hangs the `emails-test` CI job (no TTY), so the server never starts and the `/preview/test.email` smoke check fails. Pinning `@react-email/ui` makes `email dev` start non-interactively. ### Net effect on `next` The vulnerable `16.0.10` is gone. `@react-email/ui@6.5.0` pulls **`next@16.2.6`** — the **patched** version (≥ every current next advisory fix), so all 9 alerts clear and **no vulnerable next remains**. ## Notes - `react-email` and `@react-email/ui` pinned to exact `6.5.0` (matching the prior react-email pin) because the `6.6.0` line was published today and is still registry-quarantined. - react-email is a dev-only preview tool; CI builds emails via `vite` + typecheck. ## Verification - No `next < 16.2.6` in `yarn.lock` - `nx build` + `nx typecheck` twenty-emails - `email dev -d src/emails -p 4001` starts non-interactively and serves `/preview/test.email` → HTTP 200 (reproduces the emails-test check, now passing) - `yarn install --immutable` clean