Skip to content

feat(security) Allow end users to get automatic security patches without having to do a release of this package #2739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stefanoruth wants to merge 2 commits into
base: canary
Choose a base branch
from
Open

feat(security) Allow end users to get automatic security patches without having to do a release of this package #2739

stefanoruth wants to merge 2 commits into from
+117 −112

Conversation

@stefanoruth
Copy link

@stefanoruth stefanoruth commented Dec 18, 2025
edited
Loading

By addding ^ to the most common dependencies we allow other developers consuming this package to get security updates (patches) without having to release a new version of this package everytime.

Currently i see a code fix for using nextjs 16.0.10 that have been fixed 5 days ago, but there is no release for it yet unfortunatly.

Summary by cubic

Enable automatic security updates for consumers by switching fixed dependency versions to caret ranges in components, preview-server, and react-email. Compatible patches (and minors where safe) now roll in without releasing a new package version.

  • Dependencies
    • Switched to caret ranges for: next, react, react-dom, typescript, nypm, prompts, tsconfig-paths, and related @types.
    • Updated pnpm-lock.yaml to reflect new ranges.

Written for commit 302dfe5. Summary will update automatically on new commits.

@changeset-bot
Copy link

changeset-bot bot commented Dec 18, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 302dfe5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link

vercel bot commented Dec 18, 2025

@stefanoruth is attempting to deploy a commit to the resend Team on Vercel.

A member of the Team first needs to authorize it.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Dec 18, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/resend/react-email/@react-email/components@2739

npm i https://pkg.pr.new/resend/react-email/@react-email/preview-server@2739

npm i https://pkg.pr.new/resend/react-email@2739

commit: 302dfe5

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

gabrielmfern
gabrielmfern requested changes Dec 18, 2025
View reviewed changes
packages/preview-server/package.json
"main": "./index.mjs",
"dependencies": {
"next": "16.0.10"
"next": "^16.0.10"
Copy link
Member

@gabrielmfern gabrielmfern Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can do this for other packages, but not for Next.js. We publish a built version of the Next app and the built app between different versions of Next.js is not guaranteed to not break, and it has broken before so we'd rather keep this one pinned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@gabrielmfern gabrielmfern gabrielmfern requested changes

+1 more reviewer

@alexsimkovich89 alexsimkovich89 alexsimkovich89 approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stefanoruth @gabrielmfern @alexsimkovich89