🔒 security(deps): cut v1.5.0-rc.38 — undici + nodemailer CVE sweep

CHANGELOG.md

@@ -16,6 +16,8 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every
 1.4.6+ / 1.5.x release's notes by `scripts/append-upgrade-notes.mjs` (wired into
 `release-cut.yml`). Update that file — not this comment — when the notes change. -->
 
+## [1.5.0-rc.38] — 2026-06-19
+
 ### Added
 
 - **Colored startup banner.** When drydock starts on an interactive terminal it now renders the whale logo as a compact truecolor half-block banner followed by a `drydock v<version> · <mode>` identity line. The art is baked from the master logo (`drydock.png`) at build time by `scripts/gen-banner.mjs`, so startup decodes no image. The banner is written to stderr and suppressed automatically when stdout/stderr is not a TTY or `NO_COLOR` is set, so logs and piped output stay clean.
@@ -33,6 +35,10 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every
 
 - **Patched the container image's HIGH/CRITICAL CVE surface and scoped the Grype image gate.** The first `grype-image` scan on `main` flagged a pre-existing CVE backlog that nothing had been scanning (Snyk Container never ran — no token was configured). Bumped the `node:24-alpine` base (node 24.14.0 → 24.16.0 clearing CVE-2026-21710, musl 1.2.5 → 1.2.6, curl 8.19.0 → 8.20.0, git 2.52.0 → 2.54.0) and `cosign` 2.6.3 → 3.0.6, which clears every HIGH/CRITICAL in the Node runtime and Alpine OS packages. The only residual HIGH/CRITICAL findings live inside the vendored Go module graphs compiled into the bundled `cosign` and `trivy` CLI binaries (drydock shells out to them for signature verification and container scanning) — those clear only when Alpine rebuilds the packages, so a documented `.grype.yaml` scopes the fail-on-HIGH image gate to the dependencies drydock controls (Node, OS packages, the app npm graph) and excludes the two tool-binary locations. cosign 3.0.6 keeps the `verify --output json`/`--certificate-identity`/`--certificate-oidc-issuer`/`--key` flags drydock's signature path uses.
 
+- **Patched a batch of newly-disclosed `undici` CVEs across the runtime and tooling workspaces.** osv-scanner flagged eight undici advisories disclosed in 2026 — [CVE-2026-6733](https://github.com/advisories/GHSA-35p6-xmwp-9g52), [CVE-2026-6734](https://github.com/advisories/GHSA-hm92-r4w5-c3mj), [CVE-2026-9675](https://github.com/advisories/GHSA-38rv-x7px-6hhq), [CVE-2026-9678](https://github.com/advisories/GHSA-pr7r-676h-xcf6), [CVE-2026-9679](https://github.com/advisories/GHSA-p88m-4jfj-68fv), [CVE-2026-9697](https://github.com/advisories/GHSA-vmh5-mc38-953g), [CVE-2026-11525](https://github.com/advisories/GHSA-g8m3-5g58-fq7m), and [CVE-2026-12151](https://github.com/advisories/GHSA-vxpw-j846-p89q). The shipped backend (`app`) carries undici as a direct dependency and was on `8.3.0`, vulnerable to all eight — bumped to `8.5.0`, the only release clearing the full set (CVE-2026-9675 is fixed solely in 8.5.0), and pinned in `overrides` as well. The dashboard build (`ui`) and the e2e load-test harness pulled undici `7.25.0`/`7.26.0` transitively; an `overrides` entry forces `7.28.0` (the patched 7.x line) in each — build- and test-only, not part of the shipped image.
+
+- **Patched `nodemailer` to 9.0.1 ([GHSA-p6gq-j5cr-w38f](https://github.com/advisories/GHSA-p6gq-j5cr-w38f), CVSS 7.1).** A message-level `raw` option bypassed nodemailer's `disableFileAccess`/`disableUrlAccess` guards, allowing arbitrary file read and full-response SSRF in the delivered message. drydock's SMTP trigger only calls `createTransport`/`sendMail` with plain `from`/`to`/`subject`/`text` fields and never passes `raw`, so the sink isn't reachable here — but the advisory affects every release through 9.0.0 with the fix landing only in 9.0.1, so the direct dependency in `app` is bumped from `8.0.10`. The 8→9 major jump doesn't touch the stable `createTransport`/`sendMail` core drydock relies on.
+
 ## [1.5.0-rc.37] — 2026-06-15
 
 ### Security

app/package.json

@@ -51,7 +51,7 @@
     "mqtt": "5.15.1",
     "nocache": "4.0.0",
     "node-cron": "4.2.1",
-    "nodemailer": "8.0.10",
+    "nodemailer": "9.0.1",
     "openid-client": "6.8.4",
     "p-limit": "7.3.0",
     "parse-docker-image-name": "3.0.0",
@@ -66,7 +66,7 @@
     "semver": "7.8.1",
     "set-value": "4.1.0",
     "sort-es": "1.7.18",
-    "undici": "8.3.0",
+    "undici": "8.5.0",
     "unix-crypt-td-js": "1.1.4",
     "uuid": "14.0.0",
     "ws": "8.21.0",
@@ -85,7 +85,8 @@
     "vite": "8.0.16",
     "@babel/core": "7.29.6",
     "form-data": "4.0.6",
-    "protobufjs": "7.6.3"
+    "protobufjs": "7.6.3",
+    "undici": "8.5.0"
   },
   "devDependencies": {
     "@fast-check/vitest": "0.4.1",

e2e/package.json

@@ -47,6 +47,7 @@
     "yaml": "2.8.3",
     "form-data": "4.0.6",
     "protobufjs": "7.6.3",
-    "@opentelemetry/core": "2.8.0"
+    "@opentelemetry/core": "2.8.0",
+    "undici": "7.28.0"
   }
 }

ui/package.json

@@ -71,6 +71,7 @@
     "postcss": "8.5.10",
     "qs": "6.15.2",
     "yaml": "2.9.0",
-    "@babel/core": "7.29.6"
+    "@babel/core": "7.29.6",
+    "undici": "7.28.0"
   }
 }