Fix yarn audit vulnerabilities across backend and frontend

- Upgrade nodemailer ^8.0.2 → ^8.0.4 (SMTP command injection, low)
- Upgrade @angular/* ~20.3.16 → ~20.3.18 (XSS in i18n bindings, high)
- Upgrade lodash-es ^4.17.21 → ^4.17.23 + resolution (prototype pollution, moderate)
- Replace private-ip with ipaddr.js for private IP detection (SSRF, high, no patch available)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: gugu

backend/package.json

@@ -79,7 +79,7 @@
 		"langchain": "^1.2.34",
 		"lru-cache": "^11.2.7",
 		"nanoid": "5.1.7",
-		"nodemailer": "^8.0.2",
+		"nodemailer": "^8.0.4",
 		"nunjucks": "^3.2.4",
 		"openai": "^6.32.0",
 		"otplib": "^12.0.1",

frontend/package.json

@@ -17,16 +17,16 @@
 	},
 	"private": true,
 	"dependencies": {
-		"@angular/animations": "~20.3.16",
+		"@angular/animations": "~20.3.18",
 		"@angular/cdk": "~20.2.14",
-		"@angular/common": "~20.3.16",
-		"@angular/compiler": "~20.3.16",
-		"@angular/core": "~20.3.16",
-		"@angular/forms": "~20.3.16",
+		"@angular/common": "~20.3.18",
+		"@angular/compiler": "~20.3.18",
+		"@angular/core": "~20.3.18",
+		"@angular/forms": "~20.3.18",
 		"@angular/material": "~20.2.14",
-		"@angular/platform-browser": "~20.3.16",
-		"@angular/platform-browser-dynamic": "~20.3.16",
-		"@angular/router": "~20.3.16",
+		"@angular/platform-browser": "~20.3.18",
+		"@angular/platform-browser-dynamic": "~20.3.18",
+		"@angular/router": "~20.3.18",
 		"@brumeilde/ngx-theme": "^1.2.1",
 		"@fontsource/ibm-plex-mono": "^5.2.7",
 		"@fontsource/noto-sans": "^5.2.10",
@@ -54,7 +54,7 @@
 		"knip": "^5.79.0",
 		"libphonenumber-js": "^1.12.9",
 		"lodash": "^4.17.21",
-		"lodash-es": "^4.17.21",
+		"lodash-es": "^4.17.23",
 		"mermaid": "^11.12.1",
 		"monaco-editor": "0.55.1",
 		"ng-dynamic-component": "^10.8.0",
@@ -65,7 +65,6 @@
 		"pluralize": "^8.0.0",
 		"postgres-interval": "^4.0.2",
 		"posthog-js": "^1.341.0",
-		"private-ip": "^3.0.2",
 		"puppeteer": "^24.29.1",
 		"rxjs": "^7.4.0",
 		"tslib": "^2.8.1",
@@ -77,8 +76,8 @@
 		"@angular-devkit/build-angular": "20",
 		"@angular/build": "20.3.14",
 		"@angular/cli": "~20.3.14",
-		"@angular/compiler-cli": "~20.3.16",
-		"@angular/language-service": "~20.3.16",
+		"@angular/compiler-cli": "~20.3.18",
+		"@angular/language-service": "~20.3.18",
 		"@sentry-internal/rrweb": "^2.16.0",
 		"@storybook/angular": "^10.2.14",
 		"@types/node": "^22.10.2",
@@ -92,7 +91,8 @@
 	},
 	"resolutions": {
 		"mermaid": "^11.10.0",
-		"webpack": "5.104.1"
+		"webpack": "5.104.1",
+		"lodash-es": "4.17.23"
 	},
 	"packageManager": "yarn@1.22.22"
 }

frontend/src/app/validators/hostname.validator.ts

@@ -1,9 +1,19 @@
 import { AbstractControl, ValidationErrors, ValidatorFn } from '@angular/forms';
-import is_ip_private from 'private-ip';
+import * as ipaddr from 'ipaddr.js';
 import isFQDN from 'validator/es/lib/isFQDN';
 import isIP from 'validator/es/lib/isIP';
 import { DBtype } from '../models/connection';
 
+const PRIVATE_RANGES = new Set(['private', 'loopback', 'linkLocal', 'unspecified', 'carrierGradeNat', 'uniqueLocal']);
+
+function isPrivateIP(ip: string): boolean {
+	try {
+		return PRIVATE_RANGES.has(ipaddr.process(ip).range());
+	} catch {
+		return false;
+	}
+}
+
 export function hostnameValidation(dbType: DBtype): ValidatorFn {
 	return (control: AbstractControl): ValidationErrors | null => {
 		if (control.value) {
@@ -21,7 +31,7 @@ export function hostnameValidation(dbType: DBtype): ValidatorFn {
 				hostname = hostname.replace(/^mongodb\+srv:\/\//, '');
 			}
 
-			if (control.value === 'localhost' || (isIP(control.value) && is_ip_private(control.value)))
+			if (control.value === 'localhost' || (isIP(control.value) && isPrivateIP(control.value)))
 				return { isLocalhost: true };
 			if (!(isIP(hostname) || isFQDN(hostname))) return { isInvalidHostname: true };
 		}