fix: upgrade Next.js and Nodemailer to resolve Dependabot alerts

[luojiyin1987]

Summary

This PR upgrades vulnerable dependencies reported by Dependabot.

Updated packages:

• next -> 16.2.3
• @next/mdx -> 16.2.3
• eslint-config-next -> 16.2.3
• @next/eslint-plugin-next -> 16.2.3
• nodemailer -> 8.0.5

Why

This addresses known security advisories in the current dependency tree:

• next < 16.2.3
• nodemailer <= 8.0.4

The goal is to clear current Dependabot alerts with the smallest possible dependency change set.

Notes

• No application logic was changed.
• Lockfile was updated accordingly.

Validation

• Verified dependency versions in package.json
• Updated lockfile (pnpm-lock.yaml)
• Security-focused dependency upgrade only

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• package.json is excluded by none and included by none
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !pnpm-lock.yaml and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 549af566-e4b6-4341-8e55-db3646446a84

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-dependency-warn

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dosubot]

Related Documentation

1 document(s) may need updating based on files changed in this PR:

Open Source Bazaar's Space

Backend Framework and API Design

View Suggested Changes

@@ -128,7 +128,7 @@
 
 #### Lark Email API
 
-The system includes an email sending API at `/api/Lark/mail/[address]/message` that uses nodemailer 8.0.1 to send emails through an SMTP server. This endpoint is built using Next.js API routes with `next-ssr-middleware` and accepts POST requests with nodemailer `Mail.Options` in the request body.
+The system includes an email sending API at `/api/Lark/mail/[address]/message` that uses nodemailer 8.0.5 to send emails through an SMTP server. This endpoint is built using Next.js API routes with `next-ssr-middleware` and accepts POST requests with nodemailer `Mail.Options` in the request body.
 
 The email API:
 

[Accept] [Decline]

^{How did I do? Any feedback?}  

[luojiyin1987]

Building: Vercel CLI 51.2.1
Building: Detected `pnpm-lock.yaml` 9 which may be generated by pnpm@9.x or pnpm@10.x
Building: Using pnpm@9.x based on project creation date

GitHub action 的报错， 要在 package.json 指定 pnpm 的版本？

[TechQuery]

Building: Vercel CLI 51.2.1
Building: Detected `pnpm-lock.yaml` 9 which may be generated by pnpm@9.x or pnpm@10.x
Building: Using pnpm@9.x based on project creation date

GitHub action 的报错， 要在 package.json 指定 pnpm 的版本？

真正的报错 Vercel CLI 没显示出来：

ERR_PNPM_LOCKFILE_CONFIG_MISMATCH  Cannot proceed with the frozen installation. The current "overrides" configuration doesn't match the value found in the lockfile

有依赖版本复写的项目需要在 pnpm up 后重新 pnpm i 来更新 lock 文件。