emailengine-app 2.68.0 → 2.68.1

package/.github/codeql/codeql-config.yml

@@ -0,0 +1,16 @@
+name: "EmailEngine CodeQL config"
+
+# Exclude code that is not part of the production runtime from analysis.
+# These paths generate only false-positive noise:
+#   - test fixtures intentionally disable TLS verification, build shell
+#     commands from fixed paths, etc.
+#   - vendored third-party browser assets (Bootstrap and other bundles) ship
+#     with their own known patterns and are not maintained here
+#   - developer helper scripts (e.g. test-token refresh) deliberately print
+#     tokens to the console for local debugging
+paths-ignore:
+    - test
+    - '**/test/**'
+    - scripts
+    - static/bootstrap-4.6.2-dist
+    - static/vendor

package/.github/workflows/codeql.yml

@@ -0,0 +1,102 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '40 17 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yml
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - name: Run manual build steps
+      if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

package/.github/workflows/deploy.yml

@@ -5,6 +5,9 @@ on:
 
 name: Deploy test instance and Docker image
 
+permissions:
+    contents: read
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
@@ -60,6 +63,9 @@ jobs:
     docker:
         name: Build Docker Image
         runs-on: ubuntu-24.04
+        permissions:
+            contents: read
+            packages: write
 
         steps:
             - name: Checkout

package/.github/workflows/test.yml

@@ -4,6 +4,9 @@ on:
     push:
     pull_request:
 
+permissions:
+    contents: read
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [2.68.1](https://github.com/postalsys/emailengine/compare/v2.68.0...v2.68.1) (2026-06-01)
+
+
+### Bug Fixes
+
+* harden mergeObjects and tighten CodeQL scanning ([d35025d](https://github.com/postalsys/emailengine/commit/d35025daabf8fe7b3f5200b0000f52c3a012f4eb))
+* prevent IMAP proxy worker crashes and connection leaks ([#596](https://github.com/postalsys/emailengine/issues/596)) ([4453330](https://github.com/postalsys/emailengine/commit/4453330ad38fb3e64692add1357d48227e1956e0))
+* stop referencing prepared password string in error log ([50cdb89](https://github.com/postalsys/emailengine/commit/50cdb8998e27f33f700f267cb39ddba39e7d32d0))
+
 ## [2.68.0](https://github.com/postalsys/emailengine/compare/v2.67.3...v2.68.0) (2026-05-26)
 
 

package/SECURITY.md

@@ -0,0 +1,80 @@
+# Security Policy
+
+EmailEngine is a self-hosted email integration platform that stores email
+account credentials and proxies access to IMAP/SMTP, the Gmail API, and the
+Microsoft Graph API. Because it handles sensitive credentials and message
+content, we take security reports seriously and aim to respond quickly.
+
+## Supported Versions
+
+Security fixes are released only against the latest version. We do not backport
+patches to older releases - upgrading to the current release line is the
+supported way to receive security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.x     | :white_check_mark: |
+| < 2.0   | :x:                |
+
+If you are on an older version, please upgrade. See the release notes at
+<https://github.com/postalsys/emailengine/releases> before updating.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues,
+pull requests, or discussions.**
+
+Report privately through one of the following channels:
+
+1. **GitHub Security Advisories (preferred).** Open a private report at
+   <https://github.com/postalsys/emailengine/security/advisories/new>. This keeps
+   the discussion private until a fix is published and lets us credit you.
+2. **Email.** Send details to **andris@postalsys.com** (the contact listed in
+   [`SECURITY.txt`](SECURITY.txt)). Encrypt sensitive details if possible.
+
+When reporting, please include as much of the following as you can:
+
+- The affected version(s) and environment (EmailEngine version, Node.js version,
+  OS, deployment method - npm, Docker, or prebuilt binary).
+- The component involved (e.g. REST API, admin web UI, OAuth2 flows, IMAP/SMTP
+  proxy server, webhook delivery, credential encryption, the export pipeline).
+- A clear description of the issue and its impact (e.g. authentication bypass,
+  privilege escalation, credential disclosure, SSRF, injection, information
+  disclosure, denial of service).
+- A minimal proof of concept or reproduction steps.
+- Any suggested remediation, if you have one.
+
+We are a small team, so there is no guaranteed response time - sometimes reports
+are handled within hours, sometimes they take longer. Accepted issues are fixed
+in a new release and coordinated through a GitHub Security Advisory, and
+reporters who wish to be named are credited.
+
+## CVEs
+
+We track and disclose vulnerabilities through GitHub Security Advisories. We do
+not request or manage CVE identifiers ourselves. If you need a CVE assigned for a
+reported issue, please request one yourself - for example, through GitHub's own
+CVE request flow on the published advisory, or another CNA.
+
+## Scope
+
+In scope: the EmailEngine application source in this repository - the REST API
+and admin web UI (authentication, session and token handling, CSRF protection),
+OAuth2 application handling, credential encryption at rest, the IMAP/SMTP and
+IMAP proxy servers, webhook delivery (including custom filter/transform
+functions), the export pipeline, and inter-worker communication.
+
+Out of scope:
+
+- Vulnerabilities in your own application code that integrates with EmailEngine.
+- Misconfiguration of your deployment - for example, exposing the admin
+  interface or REST API to untrusted networks, weak service secrets, an
+  unauthenticated or publicly reachable Redis instance, or missing TLS.
+- Issues that require an already-compromised host or pre-existing administrator
+  access.
+- Vulnerabilities in third-party email providers and services that EmailEngine
+  connects to (Gmail, Microsoft 365, arbitrary IMAP/SMTP servers).
+- Social-engineering reports and missing security headers without a
+  demonstrated, concrete impact.
+
+Thank you for helping keep EmailEngine and its users safe.

package/SECURITY.txt

@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Contact: https://github.com/postalsys/emailengine/security/advisories/new
+Contact: mailto:andris@postalsys.com
+Expires: 2027-06-01T00:00:00.000Z
+Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/5D952A46E1D8C931F6364E01DC6C83F4D584D364
+Preferred-Languages: en, et
+Canonical: https://github.com/postalsys/emailengine/blob/master/SECURITY.txt
+Policy: https://github.com/postalsys/emailengine/blob/master/SECURITY.md
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAEBCAA5FiEEXZUqRuHYyTH2Nk4B3GyD9NWE02QFAmodKpsbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJENxsg/TVhNNkbcEP/j1v3M9ebklJgaCxkVEl
+xij24q4p+28s1ywf4y/aquBtcVkWd+y6vjG/f4RUUUtaSVChvnI5en14X8QuuSnk
+egsRARvCY9E2dbodMSyDUMWS8slRcFTDczQJhtXBD8Fu+/tWPj1UfQ8xR87ZUZ5b
+nOgCfCFnvSuDh9KBauUKZcSyuLCJ5saBuZ3RACzmz57wpzFE3vi4/q4tQAaBM5Za
+m4293Yx8ioX01S3nR5VRL8dlpdMEFy0dj66v/OFu4p3MjGf+0cpmZ7YKC8U5PhNQ
+FcQMTNkfBtkgc5lj42cKV8BBhCtN2og3u+Bhih0h0XItv4b/o9rWBtivXIQcHdtl
+WyGrrbgfGl503aVj8N0cIQ1eaWAbuRRJVHwF/G11sX6ZvhiLHdHf5YSjOrmyhSmx
+6t2gsKMrrvoODRUOqpu8ll8Rosu6m/EaNWgh9KXJyYqgQqGS+NeQHcC51fWMLjxd
+7zvYrNKqhMEU8e6siyLdJJgqAJCCtl9vS/kLItPz9hBk3KE2/kXfvQc6OF4I4ziU
+3/Edf1v37koEnT07P5HdiGgUo+u4Vo8OUEm5Ih88EWaWijHGLPeJ0NyMfkwsveTw
+n1z7pmCdZ+B9pglRGx3Mae7P8L1s1LeL8cQWo4QZ2nUcA5vtOiWfDAywlrN0mSNv
+lfeE0/subU9kC04LRJ6NUhZp
+=8lqK
+-----END PGP SIGNATURE-----

package/data/google-crawlers.json

@@ -1,5 +1,5 @@
 {
-    "creationTime": "2026-05-25T14:45:59.000000",
+    "creationTime": "2026-05-29T14:45:42.000000",
     "prefixes": [
         {
             "ipv6Prefix": "2001:4860:4801:2008::/64"
@@ -307,6 +307,9 @@
         {
             "ipv6Prefix": "2001:4860:4801:207d::/64"
         },
+        {
+            "ipv6Prefix": "2001:4860:4801:207e::/64"
+        },
         {
             "ipv6Prefix": "2001:4860:4801:2080::/64"
         },
@@ -790,6 +793,9 @@
         {
             "ipv4Prefix": "74.125.219.160/27"
         },
+        {
+            "ipv4Prefix": "74.125.219.192/27"
+        },
         {
             "ipv4Prefix": "74.125.219.32/27"
         },

package/lib/imapproxy/imap-core/lib/imap-command.js

@@ -369,7 +369,7 @@ class IMAPCommand {
     countBadResponses() {
         this.connection._badCount++;
         if (this.connection._badCount > MAX_BAD_COMMANDS) {
-            this.clearNotificationListener();
+            this.connection.clearNotificationListener();
             this.connection.send('* BYE Too many protocol errors');
             setImmediate(() => this.connection.close(true));
             return false;

package/lib/imapproxy/imap-core/lib/imap-connection.js

@@ -210,6 +210,13 @@ class IMAPConnection extends EventEmitter {
             this._socket.setTimeout(0, this._onTimeoutHandler);
         }
 
+        // After handoff to proxy mode the connection's own close/end handlers are gone,
+        // so _onClose can never run to remove this connection from the server set.
+        // Drop it from the set when the handed-off socket finally closes to avoid a leak.
+        this._socket.once('close', () => {
+            this._server.connections.delete(this);
+        });
+
         return { socket: this._socket };
     }
 

package/lib/imapproxy/imap-core/lib/imap-server.js

@@ -258,7 +258,7 @@ class IMAPServer extends EventEmitter {
                                     },
                                     'PROXY from %s through %s (%s)',
                                     params[1].trim().toLowerCase(),
-                                    params[2].trim().toLowerCase(),
+                                    (params[2] || '').trim().toLowerCase(),
                                     JSON.stringify(params)
                                 );
                             }

package/lib/imapproxy/imap-server.js

@@ -71,6 +71,30 @@ async function call(message, transferList) {
     });
 }
 
+// Resolve pending call() promises when the main thread answers. Without this any
+// RPC issued from this worker (via the `call` passed into Account) would never settle
+// and would reject on timeout. Mirrors the handlers in workers/imap.js and smtp.js.
+parentPort.on('message', message => {
+    if (message && message.cmd === 'resp' && message.mid && callQueue.has(message.mid)) {
+        let { resolve, reject, timer } = callQueue.get(message.mid);
+        clearTimeout(timer);
+        callQueue.delete(message.mid);
+
+        if (message.error) {
+            let err = new Error(message.error);
+            if (message.code) {
+                err.code = message.code;
+            }
+            if (message.statusCode) {
+                err.statusCode = message.statusCode;
+            }
+            return reject(err);
+        }
+
+        return resolve(message.response);
+    }
+});
+
 async function metrics(logger, key, method, ...args) {
     try {
         parentPort.postMessage({
@@ -86,7 +110,7 @@ async function metrics(logger, key, method, ...args) {
 
 const { ImapFlow } = require('imapflow');
 const { IMAPServer, imapHandler } = require('./imap-core/index.js');
-const { PassThrough } = require('./imap-core/lib/length-limiter.js');
+const { PassThrough } = require('stream');
 
 const packageInfo = require('../../package.json');
 const util = require('util');
@@ -113,7 +137,7 @@ class PassThroughLogger extends PassThrough {
                 data: chunk.toString('base64'),
                 compress: !!this.imapClient._deflate,
                 secure: !!this.imapClient.secureConnection,
-                cid: this.id
+                cid: this.cid
             });
         }
 
@@ -361,7 +385,7 @@ const createServer = function (options = {}) {
                 message = util.format(message, ...args);
             }
             data.msg = message;
-            if (typeof logger[level] === 'function') {
+            if (typeof serverLogger[level] === 'function') {
                 serverLogger[level](data);
             } else {
                 serverLogger.debug(data);
@@ -408,39 +432,78 @@ const createServer = function (options = {}) {
                                 logger: proxyLogger.child({ src: 'C' })
                             });
 
+                            // Idempotent teardown for both legs of the proxy. ImapFlow.close() is
+                            // safe after unbind(): it sends no LOGOUT, clears timers (including
+                            // autoidle), removes the deflate/writeSocket error forwarders and
+                            // destroys the upstream socket. Without it the upstream connection and
+                            // its idle timer would leak (most visibly with COMPRESS enabled).
+                            let proxyClosed = false;
+                            const closeProxy = () => {
+                                if (proxyClosed) {
+                                    return;
+                                }
+                                proxyClosed = true;
+
+                                try {
+                                    downstream.imapClient.close();
+                                } catch (err) {
+                                    proxyLogger.error({ msg: 'Failed to close upstream connection', err });
+                                }
+
+                                try {
+                                    if (upstream.socket && !upstream.socket.destroyed) {
+                                        upstream.socket.end();
+                                    }
+                                } catch (err) {
+                                    // ignore
+                                }
+                            };
+
+                            // Every terminal event from either leg funnels into the idempotent
+                            // closeProxy(). The helper keeps that wiring declarative; pass a message
+                            // to log (level defaults to 'error', use 'info' for graceful closes).
+                            const teardownOn = (emitter, event, msg, level = 'error') => {
+                                emitter.on(event, err => {
+                                    if (msg) {
+                                        let entry = { msg };
+                                        if (err) {
+                                            entry.err = err;
+                                        }
+                                        proxyLogger[level](entry);
+                                    }
+                                    closeProxy();
+                                });
+                            };
+
                             downstream.readSocket.pipe(upstreamLogger).pipe(upstream.socket);
                             upstream.socket.pipe(downstreamLogger).pipe(downstream.writeSocket);
 
-                            upstreamLogger.on('error', err => {
-                                proxyLogger.error({ msg: 'Client error', err });
-                                upstream.socket.end();
-                            });
-
-                            downstreamLogger.on('error', err => {
-                                proxyLogger.error({ msg: 'Server error', err });
-                                downstream.writeSocket.end();
-                                downstream.readSocket.end();
-                            });
+                            teardownOn(upstreamLogger, 'error', 'Proxy stream error (to client)');
+                            teardownOn(downstreamLogger, 'error', 'Proxy stream error (to upstream)');
+                            teardownOn(upstream.socket, 'error', 'Client socket error');
+                            teardownOn(upstream.socket, 'end', 'Client connection closed', 'info');
+                            teardownOn(upstream.socket, 'close');
+                            teardownOn(downstream.readSocket, 'end', 'Upstream connection closed', 'info');
 
                             downstream.readSocket.on('error', err => {
-                                proxyLogger.error({ msg: 'Client error', err });
-                                upstreamLogger.end('* BYE Upstream connection error\r\n');
-                            });
-
-                            upstream.socket.on('error', err => {
-                                proxyLogger.error({ msg: 'Upstream error', err });
-                                downstreamLogger.end();
+                                proxyLogger.error({ msg: 'Upstream read error', err });
+                                try {
+                                    // best-effort notice to the client before tearing down
+                                    upstream.socket.write('* BYE Upstream connection error\r\n');
+                                } catch (e) {
+                                    // ignore
+                                }
+                                closeProxy();
                             });
 
-                            downstream.readSocket.on('end', () => {
-                                proxyLogger.info({ msg: 'Client connection closed' });
-                                upstreamLogger.end();
-                            });
-
-                            upstream.socket.on('end', () => {
-                                proxyLogger.info({ msg: 'Server connection closed' });
-                                downstreamLogger.end();
-                            });
+                            // With COMPRESS enabled, readSocket/writeSocket are the inflate/deflate
+                            // streams, not the raw upstream socket, and unbind() removed ImapFlow's
+                            // own listeners from that socket. An upstream reset would then emit an
+                            // 'error' with no listener and crash the worker - guard it explicitly.
+                            if (downstream.imapClient.socket && downstream.imapClient.socket !== downstream.readSocket) {
+                                teardownOn(downstream.imapClient.socket, 'error', 'Upstream socket error');
+                                teardownOn(downstream.imapClient.socket, 'close');
+                            }
 
                             proxyLogger.info({ msg: 'Proxy mode enabled' });
                         };

package/lib/tools.js

@@ -1571,6 +1571,11 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV3QUiYsp13nD9suD1/ZkEXnuMoSg
 
     mergeObjects(destination, source) {
         for (let propKey of Object.keys(source)) {
+            // Guard against prototype pollution from crafted keys in parsed JSON
+            if (propKey === '__proto__' || propKey === 'constructor' || propKey === 'prototype') {
+                continue;
+            }
+
             let sourceVal = source[propKey];
 
             if (typeof destination[propKey] === 'undefined') {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "emailengine-app",
-    "version": "2.68.0",
+    "version": "2.68.1",
     "private": false,
     "productTitle": "EmailEngine",
     "description": "Email Sync Engine",
@@ -59,18 +59,18 @@
         "@postalsys/bounce-classifier": "3.0.0",
         "@postalsys/certs": "1.0.14",
         "@postalsys/ee-client": "1.3.0",
-        "@postalsys/email-ai-tools": "1.13.4",
-        "@postalsys/email-text-tools": "2.4.5",
+        "@postalsys/email-ai-tools": "1.13.5",
+        "@postalsys/email-text-tools": "2.4.6",
         "@postalsys/gettext": "4.1.1",
         "@postalsys/joi-messages": "1.0.5",
         "@postalsys/templates": "2.0.1",
         "@simplewebauthn/browser": "13.3.0",
-        "@simplewebauthn/server": "13.3.0",
-        "@zone-eu/mailsplit": "5.4.11",
+        "@simplewebauthn/server": "13.3.1",
+        "@zone-eu/mailsplit": "5.4.12",
         "@zone-eu/wild-config": "1.7.5",
         "ace-builds": "1.44.0",
         "base32.js": "0.1.0",
-        "bullmq": "5.77.3",
+        "bullmq": "5.77.7",
         "compare-versions": "6.1.1",
         "dotenv": "17.4.2",
         "encoding-japanese": "2.2.0",
@@ -84,9 +84,9 @@
         "html-to-text": "10.0.0",
         "ical.js": "1.5.0",
         "iconv-lite": "0.7.2",
-        "imapflow": "1.3.3",
+        "imapflow": "1.3.5",
         "ioredfour": "1.4.1",
-        "ioredis": "5.10.1",
+        "ioredis": "5.11.0",
         "ipaddr.js": "2.4.0",
         "joi": "17.13.3",
         "jquery": "4.0.0",
@@ -94,21 +94,21 @@
         "libmime": "5.3.8",
         "libqp": "2.1.1",
         "license-checker": "25.0.1",
-        "mailparser": "3.9.8",
+        "mailparser": "3.9.9",
         "marked": "9.1.6",
         "minimist": "1.2.8",
         "msgpack5": "6.0.2",
         "murmurhash": "2.0.1",
         "nanoid": "3.3.8",
-        "nodemailer": "8.0.8",
+        "nodemailer": "8.0.10",
         "pino": "10.3.1",
         "popper.js": "1.16.1",
         "prom-client": "15.1.3",
         "psl": "1.15.0",
-        "pubface": "1.1.1",
+        "pubface": "1.1.2",
         "punycode.js": "2.3.1",
         "qrcode": "1.5.4",
-        "smtp-server": "3.18.4",
+        "smtp-server": "3.18.5",
         "socks": "2.8.9",
         "speakeasy": "2.0.0",
         "startbootstrap-sb-admin-2": "3.3.7",
@@ -120,7 +120,7 @@
         "@eslint/js": "10.0.1",
         "chai": "4.3.10",
         "eerawlog": "1.5.3",
-        "eslint": "10.4.0",
+        "eslint": "10.4.1",
         "grunt": "1.6.2",
         "grunt-cli": "1.5.0",
         "grunt-shell-spawn": "0.5.0",