chore(deps): update @react-email/ui to 6.4.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@react-email/ui (source)	6.1.4 → 6.4.0
react-email (source)	6.1.4 → 6.4.0

---

Release Notes

resend/react-email (@​react-email/ui)

v6.4.0

Compare Source

v6.3.3

Compare Source

Patch Changes

• 86745ec: reject paths that resolve outside the configured emails directory in renderEmailByPath and getEmailPathFromSlug to close a path-traversal vector in the preview server

v6.3.2

Compare Source

v6.3.1

Compare Source

Patch Changes

• 27587f1: stop accepting the emails directory path as a server-action argument

  The getEmailsDirectoryMetadataAction server action used to take an
  absolute filesystem path from the client and walk that directory on the
  server, which allowed any caller of the endpoint to enumerate arbitrary
  directories on the host. The action now reads the path from the server-only
  REACT_EMAIL_INTERNAL_EMAILS_DIR_ABSOLUTE_PATH env variable and ignores
  client input.

v6.3.0

Compare Source

Minor Changes

• 99cadf3: support previewing HTML email templates

Patch Changes

• fd140fc: quality of life improvements to the send email flow:
  • infer a proper title based on the file name
  • store preferred subject per email when modified
  • store recipient for testing in local storage as well

v6.2.0

Compare Source

v6.1.5

Compare Source

resend/react-email (react-email)

v6.4.0

Compare Source

Minor Changes

• ba99365: resolve and strip unresolved --tw-* CSS variables in non-inlinable rules so Tailwind media query utilities no longer break Gmail

v6.3.3

Compare Source

v6.3.2

Compare Source

Patch Changes

• fbda5c8: increase whitespace padding to 200 characters for better Gmail preview text rendering

v6.3.1

Compare Source

Patch Changes

• c610dc0: fix: padding in Container/Section failing on Klaviyo and Outlook desktop

v6.3.0

Compare Source

v6.2.0

Compare Source

Minor Changes

• 192d82a: Add theme and utility props to <Tailwind> for Tailwind v4 CSS-first configuration. Both accept a CSS string and can be combined with the existing config prop.

  import themeCss from "./theme.css?inline";
  
  <Tailwind theme={themeCss}>
    <div className="bg-brand font-display">Custom themed content</div>
  </Tailwind>;

  Empty strings are no-ops. The base Tailwind theme and utilities are still loaded — theme and utility layer on top.

  The preview server, email export, and the caniemail compatibility check all understand the Vite-style ?inline and ?raw suffixes on CSS imports, so the pattern above works the same in your project and inside the preview UI. The compatibility check also extracts the theme and utility props (in addition to config) when analyzing your template, so any caniemail incompatibilities in CSS produced by those props will surface as warnings.

  Internal note: the exported setupTailwind helper now takes { config, cssConfigs } instead of a positional TailwindConfig. Calling it with the old shape throws with a migration hint.

Patch Changes

• 06f1d05: Watch directories targeted by dynamic import() template literals so changes to runtime-resolved files trigger preview reloads.

v6.1.5

Compare Source

Patch Changes

• 1a61cb0: Avoid OOM when running email export on projects with many templates. esbuild builds now run in batches of 10 entry points, and the render phase runs each batch of 25 templates inside a worker_threads worker so V8 isolate memory is reclaimed between batches.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​react-email/​ui@​6.1.4 ⏵ 6.4.0	+1		+1	+1
	react-email@​6.1.4 ⏵ 6.4.0	+1		+1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/react-email@6.4.0 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report