chore(deps): update dependency mailkit to 4.15.1

[thomhurst]

This PR contains the following updates:

Package	Change	Age	Confidence
MailKit (source)	4.15.0 → 4.15.1

---

Release Notes

jstedfast/MailKit (MailKit)

v4.15.1

Compare Source

• SECURITY: Bumped MimeKit to 4.15.1 for a security fix that prevents mailbox addresses from being allowed
  to contain CRLF sequences which can be used to inject SMTP commands in the SmtpClient when it sends
  MAIL FROM or RCPT TO commands.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

Code Review

This PR updates the MailKit dependency from → via Renovate Bot.

Change Summary

• Single-line change in Directory.Packages.props bumping MailKit patch version.

Assessment

This is a straightforward patch version bump — no API changes are expected. The change is:

• Minimal blast radius: only one line changed in the centralized package versions file
• Patch release: → follows semver conventions, indicating bug fixes only
• Centralized package management: correctly uses Directory.Packages.props for Central Package Management (CPM), consistent with the repo's pattern

No concerns here. Safe to merge.

[claude]

This is a straightforward patch version bump for MailKit (4.15.0 to 4.15.1) via Renovate Bot.

Assessment: Safe to merge. Single-line change in Directory.Packages.props updating a patch version, which follows semver conventions for bug fixes only. The repo correctly uses Central Package Management (CPM) for dependency versioning. No concerns.

[claude]

Code Review (Follow-up)

This is a follow-up to previous reviews already posted on this PR.

Summary of Change

Single-line update in Directory.Packages.props: MailKit 4.15.0 → 4.15.1

Security Note (Important)

The previous reviews correctly identified this as safe to merge, but understated the significance. This is actually a security patch, not just a routine bug fix. Per the release notes:

SECURITY: Bumped MimeKit to 4.15.1 for a security fix that prevents mailbox addresses from being allowed to contain CRLF sequences which can be used to inject SMTP commands in the SmtpClient when it sends MAIL FROM or RCPT TO commands.

This is a SMTP command injection vulnerability fix. If the project uses MailKit's SmtpClient with any user-controlled email addresses, this patch closes a real attack vector.

Assessment

• Change is correct: The single-line bump in the centralized Directory.Packages.props is the right approach for CPM-managed repos.
• No API breaking changes: Patch version; existing code requires no modification.
• Should be prioritized: Given the security nature, this should be merged promptly rather than waiting.

Approve — safe and recommended to merge.

[claude]

Code Review

This PR has been reviewed in previous sessions. Confirming the assessment stands:

Change: MailKit 4.15.0 → 4.15.1 (single line in Directory.Packages.props)

Key points already noted in prior reviews:

• This is a security patch — fixes an SMTP command injection vulnerability (CRLF injection in MAIL FROM/RCPT TO commands via user-controlled mailbox addresses in SmtpClient)
• Correct approach: bumping in the centralized Directory.Packages.props file consistent with the repo's Central Package Management (CPM) pattern
• No API-breaking changes; existing code requires no modification
• Auto-merge is already enabled — appropriate for this type of security patch

No new concerns. Previous approval stands. Safe and recommended to merge promptly given the security nature of the fix.

[claude]

Code Review

This PR has been reviewed in multiple prior sessions, and the assessment is consistent across all of them.

Change: MailKit 4.15.0 → 4.15.1 (single line in Directory.Packages.props)

Prior reviews covered:

• This is a security patch fixing an SMTP command injection vulnerability (CRLF injection in MAIL FROM/RCPT TO via user-controlled mailbox addresses in SmtpClient)
• Correct CPM approach — single change in centralized Directory.Packages.props
• No API-breaking changes
• Auto-merge already enabled, which is appropriate

Current status: No new changes since previous approvals. The PR is already approved and auto-merge is enabled. Nothing further to add — safe to merge.

[claude]

Code Review

This is a security patch update for MailKit from 4.15.0 to 4.15.1.

Summary

The change is a single-line version bump in Directory.Packages.props.

Security Significance

This update is important: the release notes explicitly call out a SECURITY fix — MimeKit 4.15.1 prevents mailbox addresses from containing CRLF sequences, which could be used to inject SMTP commands in SmtpClient when sending MAIL FROM or RCPT TO commands. This is a classic SMTP header injection vulnerability and the fix should be applied promptly.

Assessment

✅ The version bump is correct and targets the right package entry in the centralized Directory.Packages.props file (using Central Package Management, which is the right pattern).

✅ This is a PATCH-level update with high Renovate confidence, minimizing the risk of breaking changes.

✅ Given the security nature of this fix, auto-merging this dependency update is appropriate and recommended.

No concerns — this change should be merged promptly.

[claude]

Code Review

This PR has been reviewed multiple times in prior sessions. The assessment remains consistent and unchanged.

Change: MailKit 4.15.0 → 4.15.1 (single line in Directory.Packages.props)

Status: This is a security patch fixing an SMTP command injection vulnerability (CRLF injection in MAIL FROM/RCPT TO commands via user-controlled mailbox addresses in SmtpClient). The change is correct, minimal, and follows the repo's Central Package Management (CPM) pattern. Auto-merge is already enabled.

No new concerns. Safe to merge — and given the security nature of this fix, merging promptly is recommended.

[claude]

Code Review

This PR has been reviewed multiple times in prior sessions and the assessment is consistent.

Change: MailKit 4.15.0 → 4.15.1 (single line in Directory.Packages.props)

Security note: This is a security patch. The release notes explicitly call out a CRLF injection vulnerability fix in MimeKit that prevents mailbox addresses from injecting SMTP commands via the MAIL FROM / RCPT TO commands in SmtpClient. This makes the update important to merge promptly.

Assessment: Safe to merge. No concerns — this is a Renovate-generated dependency update with high merge confidence, minimal diff surface, and a clear security justification.

[claude]

Code Review

This PR has been reviewed multiple times in prior sessions and the assessment is consistent across all of them.

Change: MailKit 4.15.0 → 4.15.1 (single line in Directory.Packages.props)

All prior review points stand:

• This is a security patch — the release notes explicitly call out a fix for CRLF injection vulnerability in MimeKit that prevents mailbox addresses from injecting SMTP commands via MAIL FROM/RCPT TO in SmtpClient
• The version bump is correctly placed in the centralized Directory.Packages.props, consistent with the repo's Central Package Management (CPM) pattern
• No API-breaking changes; patch version follows semver conventions
• Auto-merge is already enabled, which is appropriate for a high-confidence Renovate security patch

No new concerns. Safe to merge — and given the security nature of this fix, merging promptly is recommended.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric	Results
Complexity	✅ 0 (≤ 20 complexity)

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[claude]

Code Review

This PR has now accumulated 9 prior review comments from previous sessions, all reaching the same conclusion. I'll keep this brief.

Change: MailKit 4.15.0 → 4.15.1 (single line in Directory.Packages.props)

Assessment: The change is correct and safe. All prior review points stand:

• This is a security patch fixing a CRLF injection vulnerability in MimeKit that could allow SMTP command injection via user-controlled mailbox addresses in SmtpClient's MAIL FROM/RCPT TO commands
• Correctly placed in the centralized Directory.Packages.props file, consistent with the repo's Central Package Management (CPM) pattern
• Patch-level semver bump with no API-breaking changes
• Auto-merge is already enabled, which is appropriate

One process observation: This PR has been open since early March 2026 with auto-merge enabled, yet it hasn't merged. If there's a CI check or branch protection rule blocking it, that may be worth investigating — a security patch sitting unmerged for a month is worth attention.

[claude]

Code Review

This PR has now been reviewed 10 times across multiple sessions. All prior assessments remain consistent and valid, so this will be brief.

Change: MailKit 4.15.0 → 4.15.1 (single line in Directory.Packages.props)

Assessment: Safe to merge. The change is correct and minimal — a security patch fixing a CRLF injection vulnerability in MimeKit that could allow SMTP command injection via user-controlled mailbox addresses. It is correctly placed in the centralized Directory.Packages.props file, consistent with the repo's Central Package Management pattern.

Outstanding concern from last review: This PR has been open since early March 2026 with auto-merge enabled and approvals already in place. If something is blocking it from merging (a failing CI check, a required reviewer who hasn't approved, or a branch protection rule), that is worth investigating directly — a security patch remaining unmerged for over a month is a process gap worth closing.