fix: vulnerabilities by updating packages

[JivusAyrus]

Summary by CodeRabbit

• Chores
  • Bumped nodemailer and its type definitions to newer releases for compatibility and maintenance.
  • Upgraded Next.js to a newer patch across projects to align framework versions and improve stability.
  • Updated Vite dev tool to the latest patch for development tooling fixes.
  • Upgraded an indirect Go module dependency (mapstructure) to a newer patch for dependency hygiene.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

This PR updates dependency versions across the monorepo: nodemailer (and its types) in controlplane, Next.js in root pnpm.overrides and studio, Vite in playground, and an indirect Go module in demo; no source code or exported API changes.

Changes

Cohort / File(s)	Summary
Nodemailer upgrade controlplane/package.json	Bumped nodemailer from ^6.9.11 → ^7.0.7 and @types/nodemailer from ^6.4.14 → ^7.0.3.
Next.js upgrade package.json, studio/package.json	Bumped next from 15.2.4 → 15.4.7 in root pnpm.overrides and studio dependencies.
Vite minor update playground/package.json	Updated vite in devDependencies from ^5.4.19 → ^5.4.21.
Go indirect dependency demo/go.mod	Updated indirect module github.com/go-viper/mapstructure/v2 from v2.3.0 → v2.4.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Changes are primarily homogeneous dependency bumps across manifest files.
• Areas that may need extra attention:
  • nodemailer major version bump — check for breaking API changes in any code paths that import/send mail.
  • Next.js version bump — verify studio SSR/build compatibility and any framework-specific deprecations.
  • Run install/build and a quick smoke test for workspace packages after pnpm resolution changes.

Possibly related PRs

• fix: prevent vulnerable peer dependencies #2195 — also modifies pnpm.overrides to control transitive dependency versions; likely related to the Next.js override change.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: updating packages to fix vulnerabilities across multiple files (controlplane, studio, playground, and demo).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 388e71c and e917005.

⛔ Files ignored due to path filters (2)

• demo/go.sum is excluded by !**/*.sum
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• controlplane/package.json (2 hunks)
• demo/go.mod (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• demo/go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build-router
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: image_scan
• GitHub Check: build_test
• GitHub Check: integration_test (./events)
• GitHub Check: build_push_image
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

controlplane/package.json (1)

80-80: No breaking changes apply—nodemailer 7.0.7 is compatible with SMTP transport usage.

Verification shows that nodemailer 7.x breaking changes affect only AWS SES configurations. Nodemailer 7 requires the SESv2 AWS SDK and removes support for older SES configurations; createTransport and the general API remain compatible for SMTP/sendmail/JSON/stream transports.

The controlplane codebase uses only SMTP transport (verified in controlplane/src/core/services/Mailer.ts), so the upgrade introduces no breaking changes. The createTransport() and sendMail() API calls remain backward-compatible.

However, manually verify that tests covering Mailer.ts have been executed with nodemailer 7.0.7, as the PR checklist indicates test updates were not completed. No test files referencing the Mailer service were located in the search.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-1db2378745ebcae25a61c50032febd36597f962e-nonroot