chore(deps): update axllent/mailpit docker tag to v1.29.7

[renovate]

This PR contains the following updates:

Package	Update	Change
axllent/mailpit (source)	minor	v1.27.10 → v1.29.7

---

Release Notes

axllent/mailpit (axllent/mailpit)

v1.29.7

Compare Source

Chore

• Bump vue-router from 4.6.4 to 5.0.4
• Bump axios version to 1.15.0
• Update Go dependencies
• Update node dependencies

v1.29.6

Compare Source

Chore

• Bump docker/login-action from 3 to 4 (#​670)
• Bump actions/stale from 10.1.1 to 10.2.0 (#​669)
• Bump docker/setup-buildx-action from 3 to 4 (#​668)
• Bump docker/setup-qemu-action from 3 to 4 (#​666)
• Bump docker/build-push-action from 6 to 7 (#​665)
• Update Go dependencies
• Update node dependencies

Fix

• Version check logic in version command and self updater (#​673)

v1.29.5

Compare Source

Security

• Add sandbox attribute to message iframe for extra later of security (already protected via CSP headers)

Feature

• Add option to disable auto-VACUUMing of the SQLite database (#​661)

Chore

• Update Go dependencies
• Update node dependencies

v1.29.4

Compare Source

Feature

• Add filter functionality to message headers tab

Chore

• Update Go dependencies
• Update node dependencies

Fix

• Refactor webhook delay & rate limit logic to ignore endpoint response times & prevent hardcoded 1000 message limit when set to 0 (#​656)

v1.29.3

Compare Source

Security

• Enhance CORS origin handling to respect host:port distinctions
• Limit proxy requests to 50MB to prevent OOM attacks
• Enhance HTML sanitization in message view
• Enhance HTML sanitization in screenshot generation
• Escape ContentID in HTML replacement to prevent regex injection

Chore

• Use last release + git hash in Docker edge versions
• Bump minimatch from 10.2.2 to 10.2.4
• Refactor code with go fix
• Switch to math/rand/v2
• Refactor API send authentication logic
• Refactor events websocket middleware
• Set timeout for HTTP client in webhook Send function
• Use local hostname for EHLO/HELO in SMTP communication
• Simplify HTML decoding function in screenshot generation using DOMParser
• Set margin & padding to HTML screenshot to prevent transparent top/left border
• Replace localStorage retrieval with a dedicated function for default release addresses
• Limit subject length to 100 characters in browser notifications
• Improve transaction handling in pruneMessages and fix loop continuation in InitDB
• Update Content-Disposition header to use inline display and escape filename
• Refactor timezone handling in searchQueryBuilder
• Update Go dependencies
• Update node dependencies

Fix

• Update SQL query to use tenant when using is:tagged filter

v1.29.2

Compare Source

Security

• Prevent Server-Side Request Forgery (SSRF) via Link Check API (GHSA-mpf7-p9x7-96r3)

Chore

• Upgrade eslint JavaScript linting
• Update Go dependencies
• Update node dependencies
• Update caniemail test database

Fix

• Update install instructions when setting INSTALL_PATH
• Include 8BITMIME in SMTPD EHLO response (#​648)

v1.29.1

Compare Source

Chore

• Add CORS error logging and update error messages for failed CORS requests
• Bump axios from 1.13.4 to 1.13.5
• Update Go dependencies
• Update node dependencies

Fix

• Enable "Mark all read" button (Inbox) when new message is received

v1.29.0

Compare Source

Feature

• Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary
• Option to display/hide attachment information in message view in web UI including checksums, content type & disposition

Chore

• Add support for multi-origin CORS settings and apply to events websocket (#​630)
• Add support for webhook delay (#​627)
• Update Go dependencies
• Update node dependencies

Test

• Add CORS tests
• Add message summary attachment checksum tests

v1.28.4

Compare Source

Chore

• Increase allowed SMTP email address length to 1024 chars & return clearer SMTP responses for failures (#​620)
• Update Go dependencies
• Update node dependencies

Fix

• Ensure SMTP HELO/EHLO command is issued before MAIL FROM as per RFC 5321 (#​621)
• Prevent nested MAIL command during an active SMTP transaction (#​623)
• Avoid error on image type assertion in thumbnail generation

v1.28.3

Compare Source

Security

• Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
• Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)

Chore

• Fix formatting and update reporting instructions in SECURITY.md (#​614)
• Allow @ character in message tags & set max length to 100 characters per tag
• Update Go dependencies
• Update node dependencies

Fix

• Correctly render default addresses in release modal after settings change (#​594)
• Correctly detect macOS group in install.sh (#​619)
• Auto-tagging using SMTP username using plain auth (#​617)
• Validate maximum lengths of email addresses - RFC5321 (section 4.5.3.1)

Test

• Update tag tests with length limits and @ character
• Add SMTP tests for address compliancy (RFC 5322) and header injection
• Add maximum email length validation tests - RFC5321 (section 4.5.3.1)

v1.28.2

Compare Source

Security

• Prevent Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data CVE-2026-22689

Feature

• Allow default mail addresses to be set when releasing message (#​594)

Chore

• Remove webkit warnings about missing template / render functions
• Avoid empty URL query parameter when returning to inbox from message view

v1.28.1

Compare Source

Security

• Restrict screenshot proxy to only support asset links contained in messages CVE-2026-21859

Chore

• Bump actions/checkout from 5 to 6 (#​610)
• Bump actions/cache from 4 to 5 (#​607)
• Bump actions/stale from 10.0.0 to 10.1.1 (#​604)
• Bump actions/setup-node from 5 to 6 (#​598)
• Bump esbuild from 0.25.12 to 0.27.2 (#​611)
• Update Go dependencies
• Update node dependencies

Test

• Add inline message tests
• Increase swagger test timeout

v1.28.0

Compare Source

Feature

• Optionally propagate SMTP errors (#​588)

Chore

• Update Go dependencies
• Update node dependencies
• Update caniemail test database

v1.27.11

Compare Source

Chore

• Update Go dependencies
• Update node dependencies
• Add type assertion for value in imaging assignment

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.