[codex] Resolve Dependabot security alerts

[KMKoushik]

Summary

• Updated direct vulnerable dependencies across the web, marketing, SMTP server, UI, email editor, and Python SDK workspaces.
• Regenerated pnpm-lock.yaml and packages/python-sdk/poetry.lock so transitive vulnerable packages resolve to patched versions or are removed.
• Updated the PyPI publish GitHub Action to pypa/gh-action-pypi-publish@v1.13.0.
• Tightened the Python SDK runtime to Python 3.10+ because patched requests releases require Python 3.10+.

Dependabot triage

• Pulled 202 open Dependabot alerts with gh api.
• Validated the local branch against each alert's vulnerable version range.
• Result: 0 remaining vulnerable local versions; black and @smithy/config-resolver are no longer present in the resolved locks.
• No alerts were dismissed because the alerts were valid and fixable in code/lockfiles.

Verification

• pnpm install --frozen-lockfile --ignore-scripts
• pnpm test:web:unit
• pnpm test:web:trpc
• pnpm test:web:api
• pnpm --filter=web exec tsc --noEmit
• poetry install --with dev
• poetry check
• poetry run pytest

No builds or migrations were run.

---

Summary by cubic

Resolves Dependabot security alerts by upgrading vulnerable packages across workspaces and regenerating lockfiles. Also raises the Python SDK to Python 3.10+, bumps requests/urllib3, and updates the PyPI publish action.

• Dependencies

  • Node apps: upgraded next 15.5.18, AWS SDK 3.104x, @trpc/* 11.17.0, @tanstack/react-query 5.100.10, hono 4.12.19, jsx-email 2.8.4, nodemailer 8.0.5, postcss 8.5.14, next-auth 4.24.14.
  • SMTP server: bumped mailparser 3.9.8, smtp-server 3.18.4, @types/nodemailer 8.0.0.
  • Python SDK: require Python 3.10+, requests ^2.33.0 (locks to 2.34.2), add urllib3 ^2.7.0.
  • Lockfiles: regenerated pnpm-lock.yaml and poetry.lock; removed old pnpm.overrides pin.
  • Tooling/CI: pinned mintlify to ^4.2.566, bumped pnpm to ^10.28.2 where used, updated pypa/gh-action-pypi-publish to v1.13.0.
  • Misc: updated Webhook unit test to use string contactBookId; added REDIS_URL to turbo.json.

• Migration

  • Python SDK now requires Python 3.10+. Upgrade runtimes before updating.

^{Written for commit e766713. Summary will update on new commits. Review in cubic}

Summary by CodeRabbit

• Chores

  • Updated dependencies across multiple applications and packages, including Next.js (15.5.18), AWS SDK clients, and various development tools.
  • Python SDK now requires Python 3.10+ (upgraded from 3.8+).
  • Updated PyPI publishing workflow version and extended Turbo build configuration environment variables.

• Tests

  • Updated webhook service test fixture data.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
unsend-marketing	Ready	Preview, Comment	May 18, 2026 4:47am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 36278291-c767-4a98-a3d9-0f5f3d2749a5

📥 Commits

Reviewing files that changed from the base of the PR and between aa7c234 and e766713.

⛔ Files ignored due to path filters (2)

• packages/python-sdk/poetry.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (10)

• .github/workflows/release-python-package.yml
• apps/marketing/package.json
• apps/smtp-server/package.json
• apps/web/package.json
• apps/web/src/server/service/webhook-service.unit.test.ts
• package.json
• packages/email-editor/package.json
• packages/python-sdk/pyproject.toml
• packages/ui/package.json
• turbo.json

---

Walkthrough

This PR updates dependencies across the monorepo's JavaScript and Python workspaces. PyPI publish action is bumped to v1.13.0, and REDIS_URL is added to Turbo's build environment. The root package.json pins mintlify to a specific version and removes a shiki override. Next.js and related ecosystem packages are bumped to 15.5.18 in marketing and web apps. SMTP, email editor, and UI packages update their build tools and runtime dependencies. The Python SDK raises its minimum version to 3.10 and updates requests and urllib3 dependencies. A webhook service test fixture is corrected to pass contactBookId as a string instead of numeric.

Possibly related PRs

• usesend/useSend#326: Earlier Next.js version bump to 15.5.9; this PR continues by advancing to 15.5.18 in the same package.json files.
• usesend/useSend#301: Also updates Next.js dependency versions across marketing and web app packages.
• usesend/useSend#321: Directly opposes the shiki override removal; that PR added pnpm.overrides.shiki@3.3.0 to the root package.json, which this PR removes.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title '[codex] Resolve Dependabot security alerts' accurately summarizes the main objective of the changeset, which is to address security vulnerabilities by updating vulnerable dependencies across multiple workspaces and regenerating lock files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying usesend with    Cloudflare Pages

Latest commit:	e766713
Status:	✅  Deploy successful!
Preview URL:	https://45b20b37.usesend.pages.dev
Branch Preview URL:	https://codex-fix-dependabot-alerts.usesend.pages.dev

View logs