Resend
React Email shipped three security patches this week, closing path-traversal, directory-enumeration, and prototype-pollution vectors in the preview server.
Security hardening landed across the React Email package. @react-email/ui@6.3.3 now rejects paths that resolve outside the configured emails directory in renderEmailByPath.1 @react-email/ui@6.3.1 removed a server action that accepted arbitrary filesystem paths from the client.2 @react-email/editor@1.4.8 fixed prototype pollution in the email-theming plugin by building theme objects from Object.create(null).3
Auth0 is now an official email provider. The integration routes transactional emails — verification codes, password resets — through the platform.4 Advanced routing uses an Auth0 Action with a stored API key for per-organization sender logic.
Bar, line, and area charts landed in the email editor. The Chart component is available in Broadcasts and Templates via slash command or the component toolbar; data comes from a spreadsheet-style table or raw JSON, and the editor renders output as images for cross-client consistency.5
AI prompts in the editor can now reference existing content. @-mentioning a broadcast, template, event, or property injects the actual document into the prompt server-side — no copy-pasting required.6
The Node SDK shed the svix dependency. v6.12.4 replaced it with standardwebhooks, reducing install size.7 The same release fixed payload mutation in emails, broadcasts, and templates, and added optional baseUrl and userAgent constructor params.
The Logs API, Automations/Events bindings across all three SDKs, Python async support (pip install "resend[async]"), and the MCP server's custom tracking-domain support remain active and stable.