[Snyk] Fix for 2 vulnerabilities

[maidul98]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• backend/package.json
• backend/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Uncontrolled Recursion SNYK-JS-NODEMAILER-14157156	803
	Directory Traversal SNYK-JS-FASTIFYREPLYFROM-14157161	631

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

Security-focused dependency upgrades fixing 2 vulnerabilities:

• nodemailer 6.9.9→7.0.11: Fixes uncontrolled recursion (SNYK-JS-NODEMAILER-14157156, score 803/1000)
• @fastify/reply-from 9.8.0→12.5.0: Fixes directory traversal (SNYK-JS-FASTIFYREPLYFROM-14157161, score 631/1000)

Key Concerns:

• @fastify/reply-from upgrade skips 3 major versions with breaking changes including fastify-plugin v4→v5 and undici v5→v7
• Version mismatch: project uses fastify-plugin v4.5.1 while @fastify/reply-from v12 requires v5 (bundled as nested dependency)
• No automated tests found for affected components (smtp-service.ts, primary-forwarding-mode.ts)
• nodemailer v7 changes license from MIT to MIT-0

Testing Priority:

1. SMTP functionality (email sending, verification)
2. Primary forwarding mode (request proxying for write operations)

Confidence Score: 3/5

• This PR fixes critical security vulnerabilities but introduces breaking dependency changes that require thorough testing before merge
• While the security fixes are important (803 and 631 severity scores), the @fastify/reply-from upgrade jumps 3 major versions with breaking changes. The nested fastify-plugin v5 dependency creates a version mismatch with the project's v4, and no automated tests exist for the affected components (SMTP and primary forwarding). The code usage appears compatible, but manual testing is critical.
• Both files require attention - verify that @fastify/reply-from v12's nested dependencies don't conflict with existing Fastify v4 plugins, and test SMTP and primary forwarding functionality thoroughly

Important Files Changed

File Analysis

Filename	Score	Overview
backend/package.json	3/5	Upgrades nodemailer 6.9.9→7.0.11 and @fastify/reply-from 9.8.0→12.5.0 to fix security vulnerabilities, introduces potential breaking changes
backend/package-lock.json	3/5	Lock file reflecting dependency upgrades with nested fastify-plugin v5 in @fastify/reply-from, potential version conflicts

[greptile-apps]

_{1 file reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Breaking Change: @fastify/reply-from v12 requires fastify-plugin v5, but the project uses fastify-plugin v4.5.1 (line 210). While v12 brings its own nested v5 dependency, this version mismatch could cause issues with plugin registration.

The upgrade from v9 to v12 skips major versions 10 and 11, which may include breaking API changes. The code in backend/src/server/plugins/primary-forwarding-mode.ts:1-14 uses basic APIs that should work, but thorough testing is needed.

[greptile-apps]

style: Test the primary forwarding functionality thoroughly after this upgrade - @fastify/reply-from jumped 3 major versions (v9→v12), which introduces significant dependency changes including undici v5→v7 and fastify-plugin v4→v5.