2.72.3 (2026-07-06)
Bug Fixes
- bump imapflow to 1.4.4 (dedupe nodemailer/iconv-lite) (5acc8cd)
- bump imapflow/mailparser/mailsplit/email-ai-tools (collapse iconv-lite) (51dcffb)
- bump libmime/mailparser/smtp-server/pubface (uniform nodemailer) (eee89bb)
- constant-time MS Graph clientState check and escape unsubscribe email (3def225)
- escape Redis glob metacharacters in account-scoped SCAN patterns (603d9db)
- escape untrusted email fields in message browser to prevent stored XSS (1159cc1)
- gate hosted auth form with a single-use nonce and probe cap, harden serviceSecret (7ea4ff7)
- harden hosted authentication form (SSRF gate, fail-closed HMAC, XSS) (4267df7)
- HTML-escape json Handlebars helper to prevent stored XSS in error logs (af2c153)
- override grunt's transitive js-yaml to 3.15.0 (GHSA-h67p-54hq-rp68) (024a923)
- stop logging the MS Graph access token on HTTP 401 (f2f0300)
- update dependencies (@postalsys/ee-client 1.3.2, nodemailer 9.0.3, bullmq 5.79.2, @sentry/node 10.63.0, @bull-board 8.0.2) (b954f67)
- update dependencies (email-text-tools 2.4.10, email-ai-tools 1.13.10) (73df05c)
- use constant-time comparison for secret and MAC checks (453caf3)
- verify HMAC signature on the human-facing unsubscribe routes (e30be83)