chore: Update mjml to 5.0.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mjml (source)	^4.15.3 → ^5.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827

CVE-2025-67898 / GHSA-45h5-66jx-r2wf

More information

Details

MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827.

Severity

• CVSS Score: 4.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-12827
• https://nvd.nist.gov/vuln/detail/CVE-2025-67898
• https://github.com/mjmlio/mjml/issues/3018
• https://github.com/mjmlio/mjml

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

mjmlio/mjml (mjml)

v5.0.0

Compare Source

Upgrade Guide

These are the changes users need to actively consider when upgrading to MJML 5.x.x from MJML 4.x (and early MJML 5 alphas):

Highlights

• Replaced legacy html-minifier and js-beautify with htmlnano + cssnano. [breaking change]
• Added templating syntax sanitization (runs before PostCSS and is restored afterwards)
• Safer, stricter handling of mj-include and ignoreIncludes [breaking change]
• Restructured outer HTML: the <body> tag is now driven by mj-body, not the global skeleton. [breaking change]
• mjml-browser build/minification pipeline updated
• Better attribute consistency across components (including more flexible border-radius). [breaking change]
• Migration helper removed [breaking change]
• Updated toolchain: Node 20/22/24 in CI. Removed Node 16/18 [breaking change]

---

HTML/CSS minification & formatting

What changed

• HTML minification now uses htmlnano instead of html-minifier.
• CSS minification now uses cssnano presets wired via mjml-core.
• Minification options can be added via .mjmlconfig.js

Impact [potential breaking changes]

• Generated HTML is more aggressively minified. If you rely on exact formatting (e.g. diffing raw HTML, parsing by regex, or checking snapshots), you may see changes.
• Some obscure html-minifier specific options used in custom tooling will no longer apply; options are now expressed as htmlnano/cssnano configs.
• Template tags may error in PostCSS (see Template syntax handling and sanitization below)
• Fixes this issue: #​2589

What to do

• Review any automation that assumes pretty‑printed HTML (tests, diffs, CI snapshot comparisons).
• If you previously passed minify/beautify flags or custom minifier options, re‑map them to the new htmlnano/cssnano config.

Notes

• cssnano uses lite preset by default. Due to this issue: #​2919. default preset can be used if your fonts don’t contain numerals

More detail: (#​2858 (comment))

---

Template syntax handling and sanitization (PostCSS)

What changed

• Template syntax (e.g. {{ }}) is now sanitized before PostCSS and with syntax restored post-processing.

Impact

• A CssSyntaxError error will occur when applying CSS minification to files with some template syntax
• Fixes this issue: #​2858 (comment)

What to do

• If you use a templating engine on top of MJML (Handlebars, Liquid, Twig, etc.), run your existing templates and visually verify output.
• Pay special attention to templates that put templating markers in CSS or style attributes.

More detail: (#​2858 (comment))

---

Includes are more locked down

What changed

• ignoreIncludes / allowIncludes (CLI) defaults and behavior have changed to be more secure. Includes are ignored by default
• A new includePath option is introduced to explicitly control where includes can be loaded from outside of a templates filePath
• Support MJML, HTML and CSS includes only

Impact [potential breaking changes]

• Includes are ignored by default, you will need to explicitly allow them
• Projects that relied on implicit include behavior (e.g. loading templates from arbitrary paths without explicit configuration) may now fail, warn, or simply skip includes.
• In locked‑down environments (containers, CI, hosting), path resolution for includes may change and require configuration.
• Fixes this issue: #​2589

What to do

• Audit usage of mj-include and any config that touches ignoreIncludes / allowIncludes.
• Explicitly configure includePath (and related options) in your .mjmlconfig or CLI usage to match your desired include directories (see docs)
• Expect safer, stricter defaults; don’t rely on includes working without explicit configuration.

More detail: (#​2858 (comment))

---

mj-body and skeleton structure

What changed

• The <body> HTML tag is now generated under mj-body instead of a global skeleton file.
• Added id attribute to mj-body
• mj-body attributes have been refactored:
  • class attribute is applied to the body tag rather than the child div
  • background-color removed from body, applies to child div only

Impact [potential breaking changes]

• If you rely on the exact skeleton (where <body> lived, what attributes were on it), this structure is now different.
• External CSS that relies on the specific placement of the class may no longer apply
• Fixes this issue: #​2396

What to do

• Re‑check any tooling that injects or manipulates the outer HTML skeleton around MJML output.
• Re‑verify any CSS relating to class or background-color attributes that were applied to mj-body

Notes

• Thanks to @​kmcb777 for the work here: #​2408

---

Browser bundle / build scripts

What changed

• mjml-browser build/minification pipeline has been updated to use new minifiers

Why

• New minifiers were not compatible

Impact

• If you import mjml-browser directly or depended on its legacy build scripts, behavior and bundle size/shape might change.
• Bundle size down from 1.22M to 1.04M

What to do

• Re‑build any tools using mjml-browser and verify they still load, minify, and run as expected.

---

Attributes & layout consistency

What changed

• All border-radius attributes now accept a string, previously this was inconsistent across components. Allows more flexible input
• Updated the inner-padding attributes of mj-hero and fixed an Outlook issue with width/padding

Impact [potential breaking changes]

• For some components, border-radius values are less strict
• inner-padding for mj-hero is now applied to all clients, not just Outlook

What to do

• Visual regression‑test focusing on all instances border-radius and mj-hero's inner-padding

---

Migration helper removal

What changed

• The standalone mjml-migrate tool and associated noMigrateWarn option are removed.

Impact [potential breaking changes]

• You can no longer rely on MJML 5 to automatically migrate very old MJML syntax (3.x/early 4.x) on the fly.

What to do

• If you still have legacy MJML, migrate those templates with MJML 4 tooling before moving the project to MJML 5, or update them manually.

---

Node.js version support

What changed

• CI now runs against Node LTS 20, 22 and 24; older Node versions are effectively deprecated/unsupported.

Impact [potential breaking changes]

• MJML 5 may not work (or will be untested) on Node 16/18 in the long term.

What to do

• Plan to run MJML 5 on Node 20, 22 or 24 in CI and production.

Full Changelog: mjmlio/mjml@v4.18.0...v5.0.0

v4.18.0

Compare Source

What's Changed

Documentation

• Content updates by @​dazgreer in #​3021

Full Changelog: mjmlio/mjml@v4.17.2...v4.18.0

v4.17.2

Compare Source

What's Changed

Fixes

• mj-section: do not inherit attributes from context #​3019 by @​dazgreer in #​3020

Full Changelog: mjmlio/mjml@v4.17.1...v4.17.2

v4.17.1

Compare Source

What's Changed

Fixes

• mjml-wrapper: allowed attributes not inheriting #​3011 by @​dazgreer in #​3012

Full Changelog: mjmlio/mjml@v4.17.0...v4.17.1

v4.17.0

Compare Source

What's Changed

Features

• mjml-wrapper: add gap between sections #​2977 by @​dazgreer in #​3004

Fixes

• mjml-social: respect align and icon-height attributes #​3001 by @​dazgreer in #​3002
• mjml-carousel: hide thumbnails if not supported #​2999 by @​dazgreer in #​3000
• mjml-accordion: respect font-family and padding-x attributes #​2997 by @​dazgreer in #​2998
• mjml-table: respect cellspacing #​2995 by @​dazgreer in #​2996
• mjml-navbar: fix ico-padding-x that was not working #​2991 by @​dazgreer in #​2992
• mjml-column: fix border-radius that was not working #​2989 by @​dazgreer in #​2990

Documentation

• Added link to support matrix by @​dazgreer in #​3005
• Update image URLs by @​dazgreer in #​3007
• Examples indenting by @​EtienneHosman in #​2974

Other

• Update local MJML testing by @​dazgreer in #​2987
• Add publish action by @​totocap in #​3009

New Contributors

• @​EtienneHosman made their first contribution in #​2974

Full Changelog: mjmlio/mjml@v4.16.1...v4.17.0

v4.16.1

Compare Source

Fixes

• Fix build issue of version 4.16.0 for mjml-browser

Full Changelog: mjmlio/mjml@v4.16.0...v4.16.1

v4.16.0

Compare Source

What's Changed

Features

• Add direction property to mj-social-element to reverse icon/text order by @​jamestomasino in #​2881
• mjml-table: supports 'auto' table width by @​dazgreer in #​2962
• Added font-weight attribute to mj-accordion-title by @​dazgreer in #​2963
• Add attributes for accessibility in MjBody by @​llepere in #​2954

Fixes

• Watch wrong files on CLI by @​iRyusa in #​2838
• Pass parent attributes to rawXML child components by @​norchard in #​2922
• mjml-wrapper/mjml-section: border-radius not being applied by @​dazgreer in #​2966
• mjml-wrapper/section: border-radius bug by @​dazgreer in #​2980
• mjml-parser: HTML Comments rendered with additional white space by @​dazgreer in #​2972

Documentation

• Add mjml-python to ports, and update missing implementation for MJML. by @​mgd020 in #​2845
• Remove blank "Nesting" section by @​dfabulich in #​2864
• Add a link for Laravel / PHP platform by @​EvanSchleret in #​2885
• Remove missing features for MJML.NET by @​SebastianStehle in #​2905
• Add mjml-bar-chart presentation to community components by @​Freezystem in #​2953

Dependencies

• Bump lodash from 4.17.15 to 4.17.21 by @​abalam666 in #​2831
• Bump brace-expansion from 1.1.11 to 1.1.12 by @​dependabot[bot] in #​2956
• Updated Babel to 7.28.3 by @​dazgreer in #​2978

New Contributors

• @​abalam666 made their first contribution in #​2831
• @​mgd020 made their first contribution in #​2845
• @​dfabulich made their first contribution in #​2864
• @​jamestomasino made their first contribution in #​2881
• @​EvanSchleret made their first contribution in #​2885
• @​norchard made their first contribution in #​2922
• @​dazgreer made their first contribution in #​2962
• @​llepere made their first contribution in #​2954

Full Changelog: mjmlio/mjml@v4.15.3...v4.16.0

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

⚠️ Ownership acknowledgement required

Please add or check the following item in your PR description before this can be merged:

- [x] I have seen this code, I have run this code, and I take responsibility for this code.

[github-actions]

Performance Comparison

Comparing current → latest master → 14-day baseline

Memory consumption baseline with starter plan resources

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
memory-rss-baseline	286.88 MB	295.84 MB	290.89 MB (σ 29.40)	-3.0%	-1.4%	✅
memory-heap-used-baseline	114.91 MB	118.45 MB	115.30 MB (σ 1.79)	-3.0%	-0.3%	✅

docker-stats

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
docker-image-size-n8n	1269.76 MB	1423.36 MB	1291.95 MB (σ 44.18)	-10.8%	-1.7%	✅
docker-image-size-runners	387.00 MB	413.00 MB	391.78 MB (σ 9.69)	-6.3%	-1.2%	✅

Idle baseline with Instance AI module loaded

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
instance-ai-rss-baseline	342.11 MB	352.70 MB	367.22 MB (σ 21.72)	-3.0%	-6.8%	⚠️
instance-ai-heap-used-baseline	187.35 MB	191.66 MB	187.42 MB (σ 1.77)	-2.2%	-0.0%	✅

How to read this table

• Current: This PR's value (or latest master if PR perf tests haven't run)
• Latest Master: Most recent nightly master measurement
• Baseline: Rolling 14-day average from master
• vs Master: PR impact (current vs latest master)
• vs Baseline: Drift from baseline (current vs rolling avg)
• Status: ✅ within 1σ | ⚠️ 1-2σ | 🔴 >2σ regression

[cubic-dev-ai]

No issues found across 2 files

Architecture diagram

sequenceDiagram
    participant App as n8n CLI / Service
    participant MJML as MJML v5 Engine
    participant FS as File System
    participant PostCSS as PostCSS Processor
    participant Min as htmlnano / cssnano

    Note over App,Min: Security Update: CVE-2025-67898 (Directory Traversal Fix)

    App->>MJML: mjml2html(template, options)
    
    MJML->>MJML: NEW: Validate allowIncludes (Default: false)
    
    alt NEW: Includes allowed and path provided
        MJML->>MJML: NEW: Check includePath boundaries
        MJML->>FS: Read partial (mj-include)
        FS-->>MJML: File content
    else Includes ignored/restricted
        Note over MJML: CHANGED: Includes skipped by default
    end

    MJML->>MJML: NEW: Sanitize template syntax (e.g. {{ handlebars }})
    
    MJML->>PostCSS: Process styles
    PostCSS-->>MJML: Processed CSS
    
    MJML->>MJML: NEW: Restore template syntax
    
    opt Minify enabled
        MJML->>Min: CHANGED: Minify via htmlnano + cssnano
        Min-->>MJML: Optimized Output
    end

    Note over MJML: CHANGED: Generate <body> via mj-body component

    MJML-->>App: Rendered HTML string

Loading

[codecov]

Bundle Report

Bundle size has no change ✅

Affected Assets, Files, and Routes:

view changes for bundle: editor-ui-esm

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
assets/worker-*.js	3.14MB	3.15MB	17517.58% ⚠️
assets/worker-*.js	-3.14MB	17.9kB	-99.43%

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[2472:0x2725d000]   133849 ms: Scavenge (interleaved) 1487.3 (1498.0) -> 1486.7 (1502.5) MB, pooled: 0 MB, 19.46 / 0.00 ms  (average mu = 0.343, current mu = 0.368) task; 
[2472:0x2725d000]   136045 ms: Mark-Compact (reduce) 1491.3 (1503.6) -> 1487.1 (1496.7) MB, pooled: 0 MB, 528.99 / 0.02 ms  (+ 947.9 ms in 61 steps since start of marking, biggest step 19.8 ms, walltime since start of marking 1721 ms) (average mu = 0.373,
FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0x73f8c4 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/24.15.0/bin/node]
 2: 0xc06f90  [/opt/containerbase/tools/node/24.15.0/bin/node]
 3: 0xc0707f  [/opt/containerbase/tools/node/24.15.0/bin/node]
 4: 0xeaa885  [/opt/containerbase/tools/node/24.15.0/bin/node]
 5: 0xeaa8b2  [/opt/containerbase/tools/node/24.15.0/bin/node]
 6: 0xeaabaa  [/opt/containerbase/tools/node/24.15.0/bin/node]
 7: 0xebb8aa  [/opt/containerbase/tools/node/24.15.0/bin/node]
 8: 0xebfc50  [/opt/containerbase/tools/node/24.15.0/bin/node]
 9: 0x1953f71  [/opt/containerbase/tools/node/24.15.0/bin/node]
/usr/local/bin/node: line 18:  2472 Aborted                 /opt/containerbase/tools/node/24.15.0/bin/node "$@"