chore(deps): update axllent/mailpit docker tag to v1.28.4

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
axllent/mailpit (source)	minor	v1.21.8 → v1.28.4

---

Release Notes

axllent/mailpit (axllent/mailpit)

v1.28.4

Compare Source

Chore

• Increase allowed SMTP email address length to 1024 chars & return clearer SMTP responses for failures (#​620)
• Update Go dependencies
• Update node dependencies

Fix

• Ensure SMTP HELO/EHLO command is issued before MAIL FROM as per RFC 5321 (#​621)
• Prevent nested MAIL command during an active SMTP transaction (#​623)
• Avoid error on image type assertion in thumbnail generation

v1.28.3

Compare Source

Security

• Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
• Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)

Chore

• Fix formatting and update reporting instructions in SECURITY.md (#​614)
• Allow @ character in message tags & set max length to 100 characters per tag
• Update Go dependencies
• Update node dependencies

Fix

• Correctly render default addresses in release modal after settings change (#​594)
• Correctly detect macOS group in install.sh (#​619)
• Auto-tagging using SMTP username using plain auth (#​617)
• Validate maximum lengths of email addresses - RFC5321 (section 4.5.3.1)

Test

• Update tag tests with length limits and @ character
• Add SMTP tests for address compliancy (RFC 5322) and header injection
• Add maximum email length validation tests - RFC5321 (section 4.5.3.1)

v1.28.2

Compare Source

Security

• Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data CVE-2026-22689

Feature

• Allow default mail addresses to be set when releasing message (#​594)

Chore

• Remove webkit warnings about missing template / render functions
• Avoid empty URL query parameter when returning to inbox from message view

v1.28.1

Compare Source

Security

• Restrict screenshot proxy to only support asset links contained in messages CVE-2026-21859

Chore

• Bump actions/checkout from 5 to 6 (#​610)
• Bump actions/cache from 4 to 5 (#​607)
• Bump actions/stale from 10.0.0 to 10.1.1 (#​604)
• Bump actions/setup-node from 5 to 6 (#​598)
• Bump esbuild from 0.25.12 to 0.27.2 (#​611)
• Update Go dependencies
• Update node dependencies

Test

• Add inline message tests
• Increase swagger test timeout

v1.28.0

Compare Source

Feature

• Optionally propagate SMTP errors (#​588)

Chore

• Update Go dependencies
• Update node dependencies
• Update caniemail test database

v1.27.11

Compare Source

Chore

• Update Go dependencies
• Update node dependencies
• Add type assertion for value in imaging assignment

v1.27.10

Compare Source

Security

• Prevent potential information disclosure via indirect expvar library (Prometheus)

Chore

• Add tooltip to messages nav dropdown
• Update GitHub Actions
• Add tooltip to messages nav dropdown
• Update GitHub Actions
• Update Go dependencies
• Update node dependencies

v1.27.9

Compare Source

Chore

• UI tweaks to pagination layout for clearer navigation (#​568)
• Add margin to icons in release and delete buttons for consistent spacing
• Update navbar theme to use data-bs-theme attribute for consistency
• Update Go dependencies
• Update node dependencies

v1.27.8

Compare Source

Chore

• Update Go dependencies
• Update node dependencies
• Update caniemail test database

v1.27.7

Compare Source

Fix

• Move HELO/EHLO hostname setting to the correct position in SMTP client creation (#​558)

v1.27.6

Compare Source

Feature

• Add optional --no-release-check to version subcommand (#​557)

Chore

• Set HELO/EHLO hostname when connecting to external SMTP server (#​556)
• Update Go dependencies
• Update node dependencies

v1.27.5

Compare Source

Chore

• Update Go dependencies
• Update node dependencies
• Update caniemail test database

Fix

• Support optional UIDL argument in POP3 server (#​552)

v1.27.4

Compare Source

Feature

• Allow rejected SMTP recipients to be silently dropped (#​549)

Chore

• Update Go dependencies
• Update node dependencies
• Update caniemail test database

v1.27.3

Compare Source

Fix

• Fix sendmail when using an --smtp-addr <ip>:<port> (#​542)

v1.27.2

Compare Source

Security

• Prevent integer overflow conversion to uint64
• Add ReadHeaderTimeout to Prometheus metrics server

Feature

• Add ability to generate self-signed (snakeoil) certificates for UI, SMTP and POP3 (#​539)

Chore

• Allow sendmail to send to untrusted TLS server
• Update eslint config, remove neostandard
• Refactor JS functions and remove unused parameters
• Update Go dependencies
• Update node dependencies

Fix

• Use MaxMessages to determine pruning (#​536)
• Support angle brackets for text/plain URLs with spaces (#​535)
• Do not check latest release for Prometheus statistics (#​522)

v1.27.1

Compare Source

Chore

• Update Go dependencies
• Update node dependencies
• Add type assertion for value in imaging assignment

v1.27.0

Compare Source

Chore

• Remove unused functionality/deadcode (golangci-lint)
• Refactor error handling and resource management across multiple files (golangci-lint)
• Refactor API Swagger definitions and remove unused structs
• Bump minimum Go version to v1.24.3 for jhillyerd/enmime/v2
• Switch version checks & self-updater to use ghru/v2
• Update Go dependencies
• Update node dependencies

Fix

• Align websocket new message values with global Message Summary (no null values) (#​526)

v1.26.2

Compare Source

Feature

• Store username with messages, auto-tag, and UI display (#​521)
• Allow version checking to be disabled (#​524)

Chore

• Apply linting to all JavaScript/Vue files with eslint & prettier
• Update Go dependencies
• Update node dependencies

Fix

• Improve version polling, add thread safety and exponential backoff (#​523)

Test

• Add JavaScript linting tests to CI
• Add Go linting (gofmt) to CI

v1.26.1

Compare Source

Feature

• Add relay config to preserve (keep) original Message-IDs when relaying messages (#​515)

Chore

• Update Go dependencies
• Update node dependencies
• Update caniemail testing database

Fix

• Add optional message_num argument in POP3 LIST command (#​518)
• Use float64 for returned SQL value types for rqlite compatibility (#​520)

Test

• Add small delay in POP3 test after disconnection to allow for background deletion in rqlite
• Add automated tests using the rqlite database

v1.26.0

Compare Source

Feature

• Send API allow separate auth (#​504)
• Add Prometheus exporter (#​505)

Chore

• Add MP_DATA_FILE deprecation warning
• Update Go dependencies
• Update node dependencies

Fix

• Ignore basic auth for OPTIONS requests to API when CORS is set
• Fix sendmail symlink detection for macOS (#​514)

v1.25.1

Compare Source

Chore

• Switch from unnecessary float64 to uint64 API values for App Information, message & attachment sizes
• Extend latest version cache expiration from 5 to 15 minutes
• Lighten outline-secondary buttons in dark mode
• Add note to swagger docs about API date formats
• Update Go dependencies
• Update node dependencies

Fix

• Update bootstrap5-tags to fix text pasting in message release modal (#​498)

v1.25.0

Compare Source

Feature

• Add option to hide the "Delete all" button in web UI (#​495)

Chore

• Upgrade to jhillyerd/enmime/v2
• Switch yaml parser to github.com/goccy/go-yaml
• Tweak UI to improve contrast between read & unread messages
• Adjust UI margin for side navigation
• Update Go dependencies
• Update node dependencies
• Update caniemail database

Fix

• Include SMTPUTF8 capability in SMTP EHLO response (#​496)

Documentation

• Switch to git-cliff for changelog generation
• Add Message ListUnsubscribe to swagger / API documentation (#​494)

v1.24.2

Compare Source

Feature

• Display unread count in app badge (#​485)

Chore

• Install script improvements & better error handling (#​482)
• Update Go dependencies
• Update node dependencies
• Update caniemail database

v1.24.1

Compare Source

Feature

• Add ability to mark all search results as read (#​476)

Chore

• Bump node version to 22 for binary releases
• Improve error message for From header parsing failure (#​477)
• Update Go dependencies
• Update node dependencies

v1.24.0

Compare Source

Feature

• Add TLS relay support and refactor relay function (#​471)
• Add TLS forwarding support and refactor forwarding function

Chore

• Update Go dependencies
• Standardize error message casing
• Update Go dependencies
• Update node dependencies

v1.23.2

Compare Source

Chore

• Update node dependencies
• Use Message-ID header instead of Message-Id when generating new IDs (RFC 5322)
• Improve inline HTML Check style detection (#​467)
• Update Go dependencies

Test

• Add tests for inline HTML Checks

v1.23.1

Compare Source

Chore

• Replace PrismJS with highlight.js for HTML syntax highlighting
• Update Go dependencies
• Update node dependencies

Fix

• Allow searching messages using only Cyrillic characters (#​450)
• Prevent cropping bottom of label characters in web UI (#​457)

v1.23.0

Compare Source

Feature

• Add configuration to set message compression level in db (0-3) (#​447 & #​448)
• Add configuration to explicitly disable HTTP compression in web UI/API (#​448)
• Add configuration to disable SQLite WAL mode for NFS compatibility

Chore

• Avoid shell in Docker health check (#​444)
• Handle BLOB storage for default database differently to rqlite to reduce memory overhead (#​447)
• Optimize ZSTD encoder for fastest compression of messages (#​447)
• Minor speed & memory improvements when storing messages
• Update Go dependencies
• Update node dependencies

Fix

• Display the correct STARTTLS or TLS runtime option on startup (#​446)

Test

• Add tests for message compression levels

v1.22.3

Compare Source

Feature

• Add dump feature to export all raw messages to a local directory (#​443)

Chore

• Specify Docker health check start period and interval (#​439)
• Update Go dependencies
• Update node dependencies

Fix

• Replace TrimLeft with TrimPrefix for webroot path handling (#​441)
• Include font/woff content type to embedded controller
• Update Swagger JSON to prevent overflow (#​442)
• Correctly detect maximum SMTP recipient limits, add test

v1.22.2

Compare Source

Chore

• Replace http.FileServer with custom controller to correctly encode gzipped error responses for embed.FS
• Enable browser cache for embedded web UI assets
• Update Go dependencies
• Update node dependencies / esbuild

Fix

• Remove recursive HTML regeneration in embedded HTML view (#​434)
• Add missing "latest" route to message attachment API endpoint (#​437)

v1.22.1

Compare Source

Feature

• Add optional UI setting to skip "Delete all" & "Mark all read" confirmation dialogs(#​428)
• Add optional query parameter for HTML message iframe embedding (#​434)

Chore

• Bump actions/stale from 9.0.0 to 9.1.0 (#​432)
• Add API CORS policy to HTML preview routes (#​434)
• Update Go dependencies
• Update node dependencies

v1.22.0

Compare Source

Feature

• Add Chaos functionality to test integration handling of SMTP error responses (#​402, #​110, #​144 & #​268)
• Option to override the From email address in SMTP relay configuration (#​414)
• SMTP auto-forwarding option (#​414)

Chore

• Update Go dependencies
• Update node dependencies

Fix

• Correct date formatting in TestMakeHeaders
• Update command npm run update-caniemail save path (#​422)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}