fix: dependency security issues

[gabrielmfern]

fix(deps): Resolve all pnpm audit vulnerabilities

This PR addresses and resolves all reported pnpm audit vulnerabilities in the monorepo.

Why these changes?
The goal was to eliminate all 44 reported vulnerabilities (critical, high, moderate, low) identified by pnpm audit.

How were the changes made?

1. Direct dependency upgrades: Prioritized updating direct dependencies across apps/docs, apps/web, packages/preview-server, packages/react-email, and root development dependencies (e.g., mintlify, tailwindcss, webpack, rimraf, glob, @actions/*, @changesets/cli, rollup).
2. Targeted pnpm.overrides: For remaining vulnerabilities caused by transitive dependencies pinned by packages like mintlify and @changesets/cli, specific pnpm.overrides were introduced to enforce secure versions.

Result:
pnpm audit now reports no known vulnerabilities found.

---

Slack Thread

  

---

Summary by cubic

Resolves all pnpm audit vulnerabilities through direct upgrades and secure overrides, including a targeted zod override for mintlify. Tailwind catalog pinned for stable snapshots; pnpm audit now reports no known vulnerabilities.

• Dependencies
  • Direct upgrades: mintlify 4.2.406, webpack 5.105.4, rimraf 6.1.3, glob 13.0.6.
  • Tooling: @actions/core 3.0.0, @actions/exec 3.0.0, @actions/github 9.0.0, @changesets/cli 2.30.0; added rollup 4.59.0.
  • TailwindCSS: web stays on v3 (3.4.4) for PostCSS; catalog pinned to 4.1.18.
  • Overrides: root pnpm.overrides use caret ranges for transitive deps (axios, body-parser, cookie, express, js-yaml, lodash, minimatch, path-to-regexp, qs, send, serve-static, tar); added zod 3.22.3 override for @mintlify/validation and @mintlify/scraping.
  • Regenerated pnpm-lock.yaml.

^{Written for commit a369140. Summary will update on new commits.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[changeset-bot]

⚠️ No Changeset found

Latest commit: a369140

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-email	Ready	Preview, Comment	Mar 5, 2026 9:59pm
react-email-demo	Ready	Preview, Comment	Mar 5, 2026 9:59pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​actions/​github@​7.0.0 ⏵ 9.0.0			+1
	glob@​13.0.0 ⏵ 13.0.6	-4
	@​changesets/​cli@​2.29.8 ⏵ 2.30.0			+1

View full report

[cubic-dev-ai]

No issues found across 7 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@react-email/preview-server@3020

npm i https://pkg.pr.new/react-email@3020

commit: 0377bb6