- 
                Notifications
    You must be signed in to change notification settings 
- Fork 2k
fix(deps): update dependency nodemailer to v7 [security] #4187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
fix(deps): update dependency nodemailer to v7 [security] #4187
Conversation
| /gcbrun | 
| Summary of ChangesHello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request upgrades the  Highlights
 Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either  
 Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a  Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
 | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code Review
This pull request updates nodemailer to v7 to address a security vulnerability. While this is a necessary update, it's a major version bump. My review highlights a potential breaking change due to the use of the deprecated nodemailer-smtp-transport package, which may not be compatible with nodemailer v7. I've recommended refactoring the code to use nodemailer's built-in SMTP transport and removing the obsolete dependency. This is a critical step to ensure the application continues to function correctly after the update.
| "@google-cloud/compute": "^4.0.0", | ||
| "@sendgrid/mail": "^8.0.0", | ||
| "nodemailer": "^6.0.0", | ||
| "nodemailer": "^7.0.7", | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While updating nodemailer to v7 is necessary for the security fix, this is a major version upgrade that might introduce breaking changes. The file compute/mailjet.js uses the nodemailer-smtp-transport package, which is deprecated and may not be compatible with nodemailer v7.
Since nodemailer v3, SMTP transport is built-in. You should refactor compute/mailjet.js to use the built-in transport and remove the nodemailer-smtp-transport dependency.
The current implementation in compute/mailjet.js is:
const mailer = require('nodemailer');
const smtp = require('nodemailer-smtp-transport');
// ...
const transport = mailer.createTransport(
  smtp({
    host: 'in.mailjet.com',
    port: 2525,
    // ...
  })
);This should be changed to:
const mailer = require('nodemailer');
// ...
const transport = mailer.createTransport({
  host: 'in.mailjet.com',
  port: 2525,
  // ...
});After refactoring the code, you should also remove nodemailer-smtp-transport from the dependencies in this file. Please also note that the tests in compute/test/mailjet.test.js mock both libraries and will not catch this potential integration issue.
dc7d631    to
    6298cd7      
    Compare
  
    | /gcbrun | 
6298cd7    to
    3e771df      
    Compare
  
    | /gcbrun | 
3e771df    to
    bee0702      
    Compare
  
    | /gcbrun | 
bee0702    to
    87afc68      
    Compare
  
    | /gcbrun | 
87afc68    to
    570c798      
    Compare
  
    | /gcbrun | 
570c798    to
    f0c61a0      
    Compare
  
    | /gcbrun | 
f0c61a0    to
    e804eda      
    Compare
  
    | /gcbrun | 
This PR contains the following updates:
^6.0.0->^7.0.7GitHub Vulnerability Alerts
GHSA-mm7p-fcc7-pg87
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.
Payload:
"[email protected] x"@​internal.domainUsing the following code to send mail
Running the script and seeing how this mail is parsed according to RFC
But the email is sent to
[email protected]Impact:
Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.
Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.
Potential compliance issue: Violates RFC 5321/5322 parsing rules.
Domain based access control bypass in downstream applications using your library to send mails
Recommendations
Fix parser to correctly treat quoted local-parts per RFC 5321/5322.
Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.
Release Notes
nodemailer/nodemailer (nodemailer)
v7.0.7Compare Source
Bug Fixes
v7.0.6Compare Source
Bug Fixes
v7.0.5Compare Source
Bug Fixes
v7.0.4Compare Source
Bug Fixes
v7.0.3Compare Source
Bug Fixes
v7.0.2Compare Source
Bug Fixes
v7.0.1Compare Source
Bug Fixes
v7.0.0Compare Source
⚠ BREAKING CHANGES
Features
v6.10.1Compare Source
Bug Fixes
v6.10.0Compare Source
Features
Bug Fixes
v6.9.16Compare Source
Bug Fixes
v6.9.15Compare Source
Bug Fixes
v6.9.14Compare Source
Bug Fixes
v6.9.13Compare Source
Bug Fixes
v6.9.12Compare Source
Bug Fixes
v6.9.11Compare Source
Bug Fixes
v6.9.10Compare Source
Bug Fixes
v6.9.9Compare Source
Bug Fixes
v6.9.8Compare Source
Bug Fixes
v6.9.7Compare Source
Bug Fixes
v6.9.6Compare Source
Bug Fixes
v6.9.5Compare Source
Bug Fixes
v6.9.4Compare Source
v6.9.3Compare Source
v6.9.2Compare Source
v6.9.1Compare Source
Bug Fixes
v6.9.0Compare Source
v6.8.0Compare Source
v6.7.8Compare Source
v6.7.7Compare Source
v6.7.6Compare Source
v6.7.5Compare Source
v6.7.4Compare Source
v6.7.3Compare Source
v6.7.2Compare Source
v6.7.1Compare Source
v6.7.0Compare Source
v6.6.5Compare Source
v6.6.4Compare Source
v6.6.3Compare Source
"/* secret */"v6.6.2Compare Source
v6.6.1Compare Source
v6.6.0Compare Source
newlinefor MailComposerv6.5.0Compare Source
v6.4.18Compare Source
v6.4.17Compare Source
v6.4.16Compare Source
v6.4.15Compare Source
v6.4.14Compare Source
v6.4.13Compare Source
v6.4.12Compare Source
1787f22]v6.4.11Compare Source
v6.4.10Compare Source
v6.4.8Compare Source
v6.4.7Compare Source
v6.4.6Compare Source
requeueAttempts=nshould requeuentimes (Patrick Malouin) [a27ed2f]v6.4.5Compare Source
v6.4.4Compare Source
options.forceAuthfor SMTP (Patrick Malouin) [a27ed2f]v6.4.3Compare Source
8a927f5]v6.4.2Compare Source
v6.4.1Compare Source
v6.4.0Compare Source
f419b09]5c4c8ca]v6.3.1Compare Source
72bade9]250b1a8]2391aa4]v6.3.0Compare Source
v6.2.1Compare Source
v6.1.1Compare Source
authMethodpropertyv6.1.0Compare Source
ampfor providing AMP4EMAIL contentConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.