emailengine-app 2.70.0 → 2.71.0

package/lib/license-beacon.js

@@ -0,0 +1,367 @@
+'use strict';
+
+// License-validation feature beacon.
+//
+// Collects a compact, anonymized snapshot of which features are enabled and exercised on this
+// instance, to be piggybacked onto the existing daily license-validation POST. The intent is to
+// learn whether deprecation-candidate features are still in use in the field.
+//
+// Privacy: the snapshot contains only enable-flags, provider type names, coarse magnitude tiers
+// (NOT raw counts), exercised-usage booleans, and runtime context. It never includes account
+// addresses, URLs, credentials, or any other PII/secrets.
+//
+// Reliability: collection is strictly best-effort. Every field is isolated so one failing Redis
+// read degrades that field rather than the whole snapshot, and collectBeacon never throws - on a
+// catastrophic failure it returns null and the license call proceeds with its original fields.
+// The caller is expected to also time-box this with withTimeout().
+
+const crypto = require('crypto');
+const msgpack = require('msgpack5')();
+
+const settings = require('./settings');
+const { getCounterValues, hasEnvValue, readEnvValue, getBoolean } = require('./tools');
+const { REDIS_PREFIX, EE_DOCKER_LEGACY } = require('./consts');
+const { oauth2Apps } = require('./oauth2-apps');
+const passkeys = require('./passkeys');
+const featureFlags = require('./feature-flags');
+const { documentStoreFeatureEnabled } = require('./document-store');
+
+// Beacon schema version. Bump when the meaning of codes changes so the license server can adapt.
+const SCHEMA_VERSION = 1;
+
+// Window for "exercised recently" usage signals. A week smooths over quiet days so the digest
+// (and therefore the full-payload sends) does not churn day to day.
+const USE_WINDOW_SECONDS = 7 * 24 * 3600;
+
+// Skip the per-route webhook content scan above this many routes (keeps the collector cheap).
+const WH_SCAN_LIMIT = 250;
+
+// Time-box for a single collection so a slow Redis can never delay license validation.
+const COLLECT_TIMEOUT_MS = 2000;
+
+// Resend the full snapshot at least this often even when its digest has not changed.
+const FULL_RESEND_INTERVAL_MS = 30 * 24 * 3600 * 1000;
+
+// Map a raw count to a coarse magnitude tier (powers of ten). Values are buckets, never counts.
+function tier(n) {
+    n = Number(n) || 0;
+    if (n <= 0) return 0;
+    if (n === 1) return 1;
+    if (n < 10) return 2;
+    if (n < 100) return 3;
+    if (n < 1000) return 4;
+    if (n < 10000) return 5;
+    return 6;
+}
+
+// Truthiness for boolean-ish settings (schema booleans arrive as real booleans; legacy/raw values
+// may be strings or arrays).
+function truthy(value) {
+    if (value === true) {
+        return true;
+    }
+    if (typeof value === 'number') {
+        return value !== 0;
+    }
+    if (Array.isArray(value)) {
+        return value.length > 0;
+    }
+    if (typeof value === 'string') {
+        return /^(y|yes|true|t|1)$/i.test(value.trim());
+    }
+    return false;
+}
+
+// Non-empty check for string-valued settings (URLs, keys, scripts) without inspecting the value.
+function nonEmpty(value) {
+    if (typeof value === 'string') {
+        return value.trim().length > 0;
+    }
+    return truthy(value);
+}
+
+// Deterministic serialization: object keys sorted recursively. Arrays are pre-sorted at build time.
+// Produces a stable string so the digest only changes when the snapshot meaningfully changes.
+function stableStringify(value) {
+    if (Array.isArray(value)) {
+        return '[' + value.map(stableStringify).join(',') + ']';
+    }
+    if (value && typeof value === 'object') {
+        return (
+            '{' +
+            Object.keys(value)
+                .sort()
+                .map(key => JSON.stringify(key) + ':' + stableStringify(value[key]))
+                .join(',') +
+            '}'
+        );
+    }
+    return JSON.stringify(value);
+}
+
+// Resolve the install channel, mirroring lib/ui-routes/dashboard-routes.js.
+function installChannel() {
+    if (getBoolean(readEnvValue('EENGINE_DOCEAN'))) {
+        return 'docean';
+    }
+    if (typeof readEnvValue('RENDER_SERVICE_SLUG') === 'string' && readEnvValue('RENDER_SERVICE_SLUG')) {
+        return 'render';
+    }
+    if (getBoolean(readEnvValue('EENGINE_INSTALL_SCRIPT'))) {
+        return 'script';
+    }
+    if (EE_DOCKER_LEGACY) {
+        return 'docker-legacy';
+    }
+    return 'general';
+}
+
+// Race a promise against a timeout so a slow Redis can never delay license validation.
+function withTimeout(promise, ms) {
+    return Promise.race([
+        promise,
+        new Promise((resolve, reject) => {
+            setTimeout(() => reject(new Error('Beacon collection timed out')), ms).unref();
+        })
+    ]);
+}
+
+// Build the diagnostic snapshot and its digest. Returns { fh, diag } or null on failure.
+async function collectBeacon({ redis, logger }) {
+    // Isolate a single field: log and swallow so one failure does not abort the whole snapshot.
+    const safe = async fn => {
+        try {
+            return await fn();
+        } catch (err) {
+            if (logger) {
+                logger.error({ msg: 'Beacon field collection failed', err });
+            }
+            return undefined;
+        }
+    };
+
+    try {
+        const diag = { v: SCHEMA_VERSION };
+
+        const s =
+            (await safe(() =>
+                settings.getMulti(
+                    'smtpServerEnabled',
+                    'imapProxyServerEnabled',
+                    'enableApiProxy',
+                    'trackOpens',
+                    'trackClicks',
+                    'webhooksEnabled',
+                    'openAiAPIKey',
+                    'generateEmailSummary',
+                    'openAiGenerateEmbeddings',
+                    'openAiAPIUrl',
+                    'openAiPreProcessingFn',
+                    'proxyEnabled',
+                    'httpProxyEnabled',
+                    'localAddresses',
+                    'sentryEnabled',
+                    'authServer',
+                    'imapIndexer',
+                    'totpEnabled',
+                    'documentStoreEnabled',
+                    'documentStoreGenerateEmbeddings',
+                    'documentStorePreProcessingEnabled',
+                    'gmailEnabled',
+                    'outlookEnabled',
+                    'mailRuEnabled',
+                    'trackSentMessages'
+                )
+            )) || {};
+
+        const on = key => truthy(s[key]);
+
+        // Enabled-feature codes (presence = on; codes are omitted when off).
+        const feat = [];
+        if (on('smtpServerEnabled')) feat.push('smtp');
+        if (on('imapProxyServerEnabled')) feat.push('imapproxy');
+        if (on('enableApiProxy')) feat.push('apiproxy');
+        if (on('trackOpens')) feat.push('track_o');
+        if (on('trackClicks')) feat.push('track_c');
+        if (on('webhooksEnabled')) feat.push('webhooks');
+        if (nonEmpty(s.openAiAPIKey)) feat.push('ai');
+        if (on('generateEmailSummary')) feat.push('ai_sum');
+        if (on('openAiGenerateEmbeddings')) feat.push('ai_embed');
+        if (nonEmpty(s.openAiAPIUrl)) feat.push('ai_url');
+        if (nonEmpty(s.openAiPreProcessingFn)) feat.push('ai_prefn');
+        if (on('proxyEnabled')) feat.push('proxy');
+        if (on('httpProxyEnabled')) feat.push('httpproxy');
+        if (truthy(s.localAddresses)) feat.push('localaddr');
+        if (on('sentryEnabled')) feat.push('sentry');
+        if (nonEmpty(s.authServer)) feat.push('authsrv');
+        if (s.imapIndexer === 'fast') feat.push('idx_fast');
+        if (on('totpEnabled')) feat.push('totp');
+        if (hasEnvValue('OKTA_OAUTH2_ISSUER') && hasEnvValue('OKTA_OAUTH2_CLIENT_ID') && hasEnvValue('OKTA_OAUTH2_CLIENT_SECRET')) {
+            feat.push('okta');
+        }
+        if (await safe(() => passkeys.hasPasskeys())) {
+            feat.push('passkey');
+        }
+        diag.feat = feat.sort();
+
+        // Entity magnitude tiers (buckets, not counts).
+        const scard = key => safe(() => redis.scard(`${REDIS_PREFIX}${key}`));
+        const rawAccounts = Number(await scard('ia:accounts')) || 0;
+        diag.tiers = {
+            acct: tier(rawAccounts),
+            oapp: tier(await scard('oapp:i')),
+            gw: tier(await scard('gateways')),
+            wh: tier(await scard('wh:i')),
+            tpl: tier(await scard('tpl::i')),
+            bl: tier(await safe(() => redis.hlen(`${REDIS_PREFIX}lists:unsub:lists`)))
+        };
+
+        // Provider mix. `oapp` = provider types of configured OAuth apps; `prov` = provider types
+        // that actually have accounts (plus `imap` for any non-OAuth accounts). Only the app id and
+        // provider type are read from the sanitized app listing - no secrets are inspected.
+        await safe(async () => {
+            const res = await oauth2Apps.list(0, 100000);
+            const apps = (res && res.apps) || [];
+
+            const configured = new Set();
+            const appProviders = [];
+            for (const app of apps) {
+                if (app && app.provider) {
+                    configured.add(app.provider);
+                    appProviders.push([app.id, app.provider]);
+                }
+            }
+            diag.oapp = Array.from(configured).sort();
+
+            const inUse = new Set();
+            let oauthAccounts = 0;
+            if (appProviders.length) {
+                const multi = redis.multi();
+                for (const [id] of appProviders) {
+                    multi.scard(`${REDIS_PREFIX}oapp:a:${id}`);
+                }
+                const counts = await multi.exec();
+                for (let i = 0; i < appProviders.length; i++) {
+                    const entry = counts[i];
+                    const count = (entry && !entry[0] && Number(entry[1])) || 0;
+                    oauthAccounts += count;
+                    if (count > 0) {
+                        inUse.add(appProviders[i][1]);
+                    }
+                }
+            }
+            if (rawAccounts > oauthAccounts) {
+                inUse.add('imap');
+            }
+            diag.prov = Array.from(inUse).sort();
+        });
+
+        // Exercised-usage signals from the existing event counters.
+        await safe(async () => {
+            const counters = (await getCounterValues(redis, USE_WINDOW_SECONDS)) || {};
+            const use = [];
+            if (counters['events:messageNew'] > 0) use.push('recv');
+            if (counters['submit:success'] > 0) use.push('send');
+            if (counters['webhooks:success'] > 0) use.push('wh');
+            if (counters['apiCall:success'] > 0) use.push('api');
+            diag.use = use.sort();
+        });
+
+        // Deprecation watchlist (presence of legacy/candidate-for-removal features).
+        const dep = [];
+        if (on('documentStoreEnabled')) dep.push('documentStore');
+        if (documentStoreFeatureEnabled) dep.push('documentStoreGate');
+        if (on('documentStoreGenerateEmbeddings')) dep.push('ds_embed');
+        if (on('documentStorePreProcessingEnabled')) dep.push('ds_preproc');
+        if (on('gmailEnabled') || on('outlookEnabled') || on('mailRuEnabled')) dep.push('legacyOauth');
+        if (on('trackSentMessages')) dep.push('trackSent');
+        if (EE_DOCKER_LEGACY) dep.push('dockerLegacy');
+        await safe(async () => {
+            const ids = await redis.smembers(`${REDIS_PREFIX}wh:i`);
+            if (ids && ids.length && ids.length <= WH_SCAN_LIMIT) {
+                const bufs = await redis.hmgetBuffer(
+                    `${REDIS_PREFIX}wh:c`,
+                    ids.map(id => `${id}:content`)
+                );
+                for (const buf of bufs || []) {
+                    if (!buf || !buf.length) {
+                        continue;
+                    }
+                    try {
+                        const content = msgpack.decode(buf);
+                        if (content && (content.fn || content.map)) {
+                            dep.push('whSubscript');
+                            break;
+                        }
+                    } catch (err) {
+                        // undecodable entry, skip
+                    }
+                }
+            }
+        });
+        diag.dep = dep.sort();
+
+        // Enabled EENGINE_FEATURE_* flags (already sorted).
+        diag.flags = (await safe(() => featureFlags.listEnabled())) || [];
+
+        // Runtime context.
+        diag.dist = installChannel();
+        diag.node = process.versions.node;
+        diag.arch = process.arch;
+
+        const fh = crypto.createHash('sha256').update(stableStringify(diag)).digest('hex').slice(0, 12);
+
+        return { fh, diag };
+    } catch (err) {
+        if (logger) {
+            logger.error({ msg: 'Beacon collection failed', err });
+        }
+        return null;
+    }
+}
+
+// Collect the snapshot (time-boxed) and decide what to attach to the license request body.
+// Always attaches the digest `fh`; attaches the full `diag` only when the digest changed since the
+// last accepted send or the 30-day heartbeat is due. Best-effort: never throws.
+async function attachBeacon(body, { redis, logger, now }) {
+    try {
+        const beacon = await withTimeout(collectBeacon({ redis, logger }), COLLECT_TIMEOUT_MS);
+        if (!beacon || !beacon.fh) {
+            return;
+        }
+        body.fh = beacon.fh;
+
+        const [storedHash, bft] = await redis.hmget(`${REDIS_PREFIX}settings`, ['bfh', 'bft']);
+        const lastFull = parseInt(bft || '0', 16) || 0;
+        if (beacon.fh !== storedHash || now - lastFull > FULL_RESEND_INTERVAL_MS) {
+            body.diag = beacon.diag;
+        }
+    } catch (err) {
+        if (logger) {
+            logger.error({ msg: 'License beacon collection failed', err });
+        }
+    }
+}
+
+// Persist the send-on-change markers after a successful validation. `needFull` (from the server)
+// forces a full resend on the next cycle when the server has the digest but not the snapshot.
+// Best-effort: never throws.
+async function persistBeaconMarkers({ redis, logger, body, now, needFull }) {
+    try {
+        if (body.fh) {
+            await redis.hset(`${REDIS_PREFIX}settings`, 'bfh', body.fh);
+            if (body.diag) {
+                await redis.hset(`${REDIS_PREFIX}settings`, 'bft', now.toString(16));
+            }
+        }
+        if (needFull) {
+            await redis.hdel(`${REDIS_PREFIX}settings`, 'bfh');
+        }
+    } catch (err) {
+        if (logger) {
+            logger.error({ msg: 'Failed to persist license beacon markers', err });
+        }
+    }
+}
+
+module.exports = { collectBeacon, attachBeacon, persistBeaconMarkers, withTimeout, tier, stableStringify };

package/lib/logger.js

@@ -7,6 +7,7 @@ if (!process.env.EE_ENV_LOADED) {
 
 const config = require('@zone-eu/wild-config');
 const pino = require('pino');
+const { TRANSIENT_NETWORK_CODES } = require('./consts');
 
 config.log = config.log || {
     level: 'trace'
@@ -14,10 +15,19 @@ config.log = config.log || {
 
 config.log.level = config.log.level || 'trace';
 
+// undici raises every connection failure as a generic `TypeError` (e.g. "fetch failed"
+// or "terminated") with the real DNS/socket error attached as err.cause. Those are
+// transient, environmental blips - not code bugs - so they must not be forwarded to
+// error tracking, where they pile up as useless "fetch failed" reports. Genuine
+// TypeError/RangeError bugs have no network errno cause and still get reported.
+function isTransientFetchError(err) {
+    return err && err.name === 'TypeError' && err.cause && TRANSIENT_NETWORK_CODES.has(err.cause.code);
+}
+
 let logger = pino({
     formatters: {
         log(object) {
-            if (object.err && ['TypeError', 'RangeError'].includes(object.err.name)) {
+            if (object.err && ['TypeError', 'RangeError'].includes(object.err.name) && !isTransientFetchError(object.err)) {
                 if (logger.notifyError) {
                     let meta = {};
                     for (let key of ['msg', 'path', 'cid']) {

package/lib/routes-ui.js

@@ -35,7 +35,8 @@ function applyRoutes(server, call) {
     // Network, SMTP server, IMAP proxy, and browser config routes
     networkConfigRoutes({ server, call });
 
-    // Document Store (Elasticsearch) config routes
+    // Document Store (Elasticsearch) config routes (deprecated feature; the module self-gates
+    // and registers no routes unless the Document Store feature is enabled)
     documentStoreRoutes({ server });
 
     // Admin auth and user-profile routes (login, logout, TOTP, passkeys, password)

package/lib/tools.js

@@ -57,7 +57,26 @@ const AGENT_OPTS = {
 const RETRY_OPTS = {
     maxRetries: URL_FETCH_RETRY_MAX,
     methods: ['GET', 'PUT', 'HEAD', 'OPTIONS', 'DELETE', 'POST'],
-    statusCodes: [429] // do not retry 5xx errors
+    statusCodes: [429], // do not retry 5xx errors
+    // undici does not retry transient DNS failures (EAI_AGAIN) or socket connect
+    // timeouts (ETIMEDOUT) by default, so a name-resolution blip bubbles up as a hard
+    // `TypeError: fetch failed`. Add them to the retry list. Passing errorCodes REPLACES
+    // undici's defaults, so its default codes are re-listed here.
+    errorCodes: [
+        // undici defaults
+        'ECONNRESET',
+        'ECONNREFUSED',
+        'ENOTFOUND',
+        'ENETDOWN',
+        'ENETUNREACH',
+        'EHOSTDOWN',
+        'EHOSTUNREACH',
+        'EPIPE',
+        'UND_ERR_SOCKET',
+        // additions: transient DNS / socket connect-timeout failures
+        'EAI_AGAIN',
+        'ETIMEDOUT'
+    ]
 };
 
 // Shared mutable object -- consumers import the object reference and access
@@ -2198,6 +2217,7 @@ vWuuhT9ely8AUX2F
 mF3GOI+Ev7mJODtG
 nQNwPlZ+tyx24XVo
 olObiSmdzVaMp7lH
+SruXHv6plKL9YuAW
 cyp1GKV4Cl+eC8G/
 Q1y/TzbtUQCqnotR
 59Q2qOkuyTLzQDhd
@@ -2221,9 +2241,13 @@ EsbWnuADOq9qe/EZ
 YfUSxQtq1+kpwW/W
 QodzxvoJ6NPGhCgW
 5/VK+O950efBio0t
-RA/lrkwxcTX80nxX
 b85BMAFRHn10uX8y
 vV2RgfFH2YFTYsly
+zcmIO3obSzUVHGtF
+tzsA68uFVAffHmec
+DkCU3OpaSa+rIVfU
+dcDjqpxVxivT46Rl
+QSgNcpNukC9CBNfe
 `
         .split(/\r?\n/)
         .map(l => l.trim())

package/lib/ui-routes/admin-config-routes.js

@@ -23,6 +23,7 @@ const timezonesList = require('timezones-list').default;
 const { redis, submitQueue, notifyQueue, documentsQueue } = require('../db');
 const { getByteSize, formatByteSize, getDuration, failAction, hasEnvValue, readEnvValue, httpAgent } = require('../tools');
 const { llmPreProcess } = require('../llm-pre-process');
+const { documentStoreFeatureEnabled } = require('../document-store');
 const { locales } = require('../translations');
 const { settingsSchema } = require('../schemas');
 const { getOpenAiModels, OPEN_AI_MODELS, getExampleDocumentsPayloads } = require('./route-helpers');
@@ -217,7 +218,7 @@ function init(args) {
                     values,
 
                     webhookErrorFlag: await settings.get('webhookErrorFlag'),
-                    documentStoreEnabled: (await settings.get('documentStoreEnabled')) || false
+                    documentStoreEnabled: (documentStoreFeatureEnabled && (await settings.get('documentStoreEnabled'))) || false
                 },
                 {
                     layout: 'app'
@@ -307,7 +308,7 @@ function init(args) {
                         ),
 
                         webhookErrorFlag: await settings.get('webhookErrorFlag'),
-                        documentStoreEnabled: (await settings.get('documentStoreEnabled')) || false
+                        documentStoreEnabled: (documentStoreFeatureEnabled && (await settings.get('documentStoreEnabled'))) || false
                     },
                     {
                         layout: 'app'
@@ -356,7 +357,7 @@ function init(args) {
                                 errors,
 
                                 webhookErrorFlag: await settings.get('webhookErrorFlag'),
-                                documentStoreEnabled: (await settings.get('documentStoreEnabled')) || false
+                                documentStoreEnabled: (documentStoreFeatureEnabled && (await settings.get('documentStoreEnabled'))) || false
                             },
                             {
                                 layout: 'app'

package/lib/ui-routes/document-store-routes.js

@@ -16,7 +16,7 @@ const { REDIS_PREFIX } = require('../consts');
 const { failAction } = require('../tools');
 const { settingsSchema } = require('../schemas');
 const { defaultMappings } = require('../es');
-const { getESClient } = require('../document-store');
+const { getESClient, documentStoreFeatureEnabled } = require('../document-store');
 const { getOpenAiModels, OPEN_AI_MODELS, getExampleDocumentsPayloads } = require('./route-helpers');
 
 const FIELD_TYPES = [
@@ -95,6 +95,12 @@ const configDocumentStoreSchema = {
 function init(args) {
     const { server } = args;
 
+    // Deprecated Document Store feature: when the gate is off, register no routes so that
+    // every /admin/config/document-store* page behaves like a regular 404.
+    if (!documentStoreFeatureEnabled) {
+        return;
+    }
+
     server.route({
         method: 'GET',
         path: '/admin/config/document-store',

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "emailengine-app",
-    "version": "2.70.0",
+    "version": "2.71.0",
     "private": false,
     "productTitle": "EmailEngine",
     "description": "Email Sync Engine",
@@ -11,6 +11,8 @@
         "single": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_SECRET=your-encryption-key EENGINE_WORKERS=1 node --inspect server --dbs.redis='redis://127.0.0.1:6379/6' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.single.txt | pino-pretty",
         "gmail": "EE_OPENAPI_VERBOSE=true EENGINE_LOG_RAW=true EENGINE_SECRET=your-encryption-key EENGINE_WORKERS=2 EENGINE_CORS_ORIGIN='*' node --inspect server --dbs.redis='redis://127.0.0.1:6379/11' --api.port=7003 --api.host=0.0.0.0 | tee $HOME/ee.log.gmail.txt | pino-pretty",
         "test": "NODE_ENV=test grunt",
+        "test:unit": "NODE_ENV=test grunt test-unit",
+        "test:integration": "NODE_ENV=test grunt test-integration",
         "lint": "npx eslint 'lib/**/*.js' 'workers/**/*.js' 'test/**/*.js' server.js Gruntfile.js",
         "swagger": "./getswagger.sh",
         "build-source": "rm -rf node_modules && npm install && rm -rf node_modules && npm ci --omit=dev && rm -rf node_modules/ace-builds node_modules/@postalsys/ee-client && ./update-info.sh",
@@ -56,21 +58,21 @@
         "@hapi/vision": "7.0.3",
         "@phc/pbkdf2": "1.1.14",
         "@postalsys/bounce-classifier": "3.0.0",
-        "@postalsys/certs": "1.0.14",
+        "@postalsys/certs": "1.0.15",
         "@postalsys/ee-client": "1.3.0",
-        "@postalsys/email-ai-tools": "1.13.5",
-        "@postalsys/email-text-tools": "2.4.6",
+        "@postalsys/email-ai-tools": "1.13.6",
+        "@postalsys/email-text-tools": "2.4.7",
         "@postalsys/gettext": "4.1.1",
         "@postalsys/joi-messages": "1.0.5",
         "@postalsys/templates": "2.0.1",
-        "@sentry/node": "10.57.0",
+        "@sentry/node": "10.58.0",
         "@simplewebauthn/browser": "13.3.0",
         "@simplewebauthn/server": "13.3.1",
         "@zone-eu/mailsplit": "5.4.12",
         "@zone-eu/wild-config": "1.7.5",
         "ace-builds": "1.44.0",
         "base32.js": "0.1.0",
-        "bullmq": "5.78.0",
+        "bullmq": "5.78.1",
         "compare-versions": "6.1.1",
         "dotenv": "17.4.2",
         "encoding-japanese": "2.2.0",
@@ -84,31 +86,31 @@
         "html-to-text": "10.0.0",
         "ical.js": "1.5.0",
         "iconv-lite": "0.7.2",
-        "imapflow": "1.4.0",
+        "imapflow": "1.4.1",
         "ioredfour": "1.4.1",
         "ioredis": "5.11.1",
         "ipaddr.js": "2.4.0",
-        "joi": "17.13.3",
+        "joi": "17.13.4",
         "jquery": "4.0.0",
         "libbase64": "1.3.0",
         "libmime": "5.3.8",
         "libqp": "2.1.1",
         "license-checker": "25.0.1",
-        "mailparser": "3.9.9",
+        "mailparser": "3.9.10",
         "marked": "9.1.6",
         "minimist": "1.2.8",
         "msgpack5": "6.0.2",
         "murmurhash": "2.0.1",
         "nanoid": "3.3.8",
-        "nodemailer": "8.0.11",
+        "nodemailer": "9.0.0",
         "pino": "10.3.1",
         "popper.js": "1.16.1",
         "prom-client": "15.1.3",
         "psl": "1.15.0",
-        "pubface": "1.1.2",
+        "pubface": "1.1.3",
         "punycode.js": "2.3.1",
         "qrcode": "1.5.4",
-        "smtp-server": "3.18.5",
+        "smtp-server": "3.19.0",
         "socks": "2.8.9",
         "speakeasy": "2.0.0",
         "startbootstrap-sb-admin-2": "3.3.7",
@@ -118,15 +120,14 @@
     },
     "devDependencies": {
         "@eslint/js": "10.0.1",
-        "acorn": "^8.16.0",
-        "acorn-walk": "^8.3.5",
+        "acorn": "8.17.0",
+        "acorn-walk": "8.3.5",
         "chai": "4.3.10",
         "eerawlog": "1.5.3",
-        "eslint": "10.4.1",
+        "eslint": "10.5.0",
         "grunt": "1.6.2",
         "grunt-cli": "1.5.0",
         "grunt-shell-spawn": "0.5.0",
-        "grunt-wait": "0.3.0",
         "pino-pretty": "13.0.0",
         "prettier": "3.8.4",
         "resedit": "3.0.2",
@@ -158,6 +159,8 @@
             "node_modules/@postalsys/joi-messages/translations/*",
             "node_modules/@postalsys/bounce-classifier/model/**/*",
             "node_modules/jsdom/lib/jsdom/browser/default-stylesheet.css",
+            "node_modules/nodemailer/lib/well-known/*.json",
+            "node_modules/nodemailer/package.json",
             "LICENSE_EMAILENGINE.txt",
             "version-info.json",
             "sbom.json"