fix(deps): update dependency nodemailer to v7 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
nodemailer (source)	^6.0.0 -> ^7.0.7

GitHub Vulnerability Alerts

GHSA-mm7p-fcc7-pg87

The email parsing library incorrectly handles quoted local-parts containing @​. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.

Payload: "[email protected] x"@​internal.domain
Using the following code to send mail

const nodemailer = require("nodemailer");

let transporter = nodemailer.createTransport({
  service: "gmail",
  auth: {
    user: "",
    pass: "",
  },
});

let mailOptions = {
  from: '"Test Sender" <[email protected]>', 
  to: "\"[email protected] x\"@&#8203;internal.domain",
  subject: "Hello from Nodemailer",
  text: "This is a test email sent using Gmail SMTP and Nodemailer!",
};

transporter.sendMail(mailOptions, (error, info) => {
  if (error) {
    return console.log("Error: ", error);
  }
  console.log("Message sent: %s", info.messageId);

});

(async () => {
  const parser = await import("@&#8203;sparser/email-address-parser");
  const { EmailAddress, ParsingOptions } = parser.default;
  const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);

  if (!parsed) {
    console.error("Invalid email address:", mailOptions.to);
    return;
  }

  console.log("Parsed email:", {
    address: `${parsed.localPart}@&#8203;${parsed.domain}`,
    local: parsed.localPart,
    domain: parsed.domain,
  });
})();

Running the script and seeing how this mail is parsed according to RFC

Parsed email: {
  address: '"[email protected] x"@​internal.domain',
  local: '"[email protected] x"',
  domain: 'internal.domain'
}

But the email is sent to [email protected]

Impact:

• Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.

• Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.

• Potential compliance issue: Violates RFC 5321/5322 parsing rules.

• Domain based access control bypass in downstream applications using your library to send mails

Recommendations

• Fix parser to correctly treat quoted local-parts per RFC 5321/5322.

• Add strict validation rejecting local-parts containing embedded @​ unless fully compliant with quoting.

---

Release Notes

nodemailer/nodemailer (nodemailer)

v7.0.7

Compare Source

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#​1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

v7.0.6

Compare Source

Bug Fixes

• encoder: avoid silent data loss by properly flushing trailing base64 (#​1747) (01ae76f)
• handle multiple XOAUTH2 token requests correctly (#​1754) (dbe0028)
• ReDoS vulnerability in parseDataURI and _processDataUrl (#​1755) (90b3e24)

v7.0.5

Compare Source

Bug Fixes

• updated well known delivery service list (fa2724b)

v7.0.4

Compare Source

Bug Fixes

• pools: Emit 'clear' once transporter is idle and all connections are closed (839e286)
• smtp-connection: jsdoc public annotation for socket (#​1741) (c45c84f)
• well-known-services: Added AliyunQiye (bb9e6da)

v7.0.3

Compare Source

Bug Fixes

• attachments: Set the default transfer encoding for message/rfc822 attachments as '7bit' (007d5f3)

v7.0.2

Compare Source

Bug Fixes

• ses: Fixed structured from header (faa9a5e)

v7.0.1

Compare Source

Bug Fixes

• ses: Use formatted FromEmailAddress for SES emails (821cd09)

v7.0.0

Compare Source

⚠ BREAKING CHANGES

• SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features

Features

• SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features (15db667)

v6.10.1

Compare Source

Bug Fixes

• close correct socket (a18062c)

v6.10.0

Compare Source

Features

• services: add Seznam email service configuration (#​1695) (d1ae0a8)

Bug Fixes

• proxy: Set error and timeout errors for proxied sockets (aa0c99c)

v6.9.16

Compare Source

Bug Fixes

• addressparser: Correctly detect if user local part is attached to domain part (f2096c5)

v6.9.15

Compare Source

Bug Fixes

• Fix memory leak (#​1667) (baa28f6)
• mime: Added GeoJSON closes #​1637 (#​1665) (79b8293)

v6.9.14

Compare Source

Bug Fixes

• api: Added support for Ethereal authentication (56b2205)
• services.json: Add Email Services Provider Feishu Mail (CN) (#​1648) (e9e9ecc)
• services.json: update Mailtrap host and port in well known (#​1652) (fc2c9ea)
• well-known-services: Add Loopia in well known services (#​1655) (21a28a1)

v6.9.13

Compare Source

Bug Fixes

• tls: Ensure servername for SMTP (d66fdd3)

v6.9.12

Compare Source

Bug Fixes

• message-generation: Escape single quote in address names (4ae5fad)

v6.9.11

Compare Source

Bug Fixes

• headers: Ensure that Content-type is the bottom header (c7cf97e)

v6.9.10

Compare Source

Bug Fixes

• data-uri: Do not use regular expressions for parsing data URI schemes (12e65e9)
• data-uri: Moved all data-uri regexes to use the non-regex parseDataUri method (edd5dfe)

v6.9.9

Compare Source

Bug Fixes

• security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
• tests: Use native node test runner, added code coverage support, removed grunt (#​1604) (be45c1b)

v6.9.8

Compare Source

Bug Fixes

• punycode: do not use native punycode module (b4d0e0c)

v6.9.7

Compare Source

Bug Fixes

• customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #​1584) (41d482c)

v6.9.6

Compare Source

Bug Fixes

• inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
• tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)

v6.9.5

Compare Source

Bug Fixes

• license: Updated license year (da4744e)

v6.9.4

Compare Source

• Renamed SendinBlue to Brevo

v6.9.3

Compare Source

• Specified license identifier (was defined as MIT, actual value MIT-0)
• If SMTP server disconnects with a message, process it and include as part of the response error

v6.9.2

Compare Source

• Fix uncaught exception on invalid attachment content payload

v6.9.1

Compare Source

Bug Fixes

• addressparser: Correctly detect if user local part is attached to domain part (f2096c5)

v6.9.0

Compare Source

• Do not throw if failed to resolve IPv4 addresses
• Include EHLO extensions in the send response
• fix sendMail function: callback should be optional

v6.8.0

Compare Source

• Add DNS timeout (huksley)
• add dns.REFUSED (lucagianfelici)

v6.7.8

Compare Source

• Allow to use multiple Reply-To addresses

v6.7.7

Compare Source

• Resolver fixes

v6.7.6

Compare Source

v6.7.5

Compare Source

• No changes, pushing a new README to npmjs.org

v6.7.4

Compare Source

• Ensure compatibility with Node 18
• Replaced Travis with Github Actions

v6.7.3

Compare Source

• Typo fixes
• Added stale issue automation fir Github
• Add Infomaniak config to well known service (popod)
• Update Outlook/Hotmail host in well known services (popod)
• fix: DSN recipient gets ignored (KornKalle)

v6.7.2

Compare Source

• Fix proxies for account verification

v6.7.1

Compare Source

• fix verify on ses-transport (stanofsky)

v6.7.0

Compare Source

• Updated DNS resolving logic. If there are multiple responses for a A/AAAA record, then loop these randomly instead of only caching the first one

v6.6.5

Compare Source

• Replaced Object.values() and Array.flat() with polyfills to allow using Nodemailer in Node v6+

v6.6.4

Compare Source

• Better compatibility with IPv6-only SMTP hosts (oxzi)
• Fix ses verify for sdk v3 (hannesvdvreken)
• Added SECURITY.txt for contact info

v6.6.3

Compare Source

• Do not show passwords in SMTP transaction logs. All passwords used in logging are replaced by "/* secret */"

v6.6.2

Compare Source

v6.6.1

Compare Source

• Fixed address formatting issue where newlines in an email address, if provided via address object, were not properly removed. Reported by tmazeika (#​1289)

v6.6.0

Compare Source

• Added new option newline for MailComposer
• aws ses connection verification (Ognjen Jevremovic)

v6.5.0

Compare Source

• Pass through textEncoding to subnodes
• Added support for AWS SES v3 SDK
• Fixed tests

v6.4.18

Compare Source

• Updated README

v6.4.17

Compare Source

• Allow mixing attachments with caendar alternatives

v6.4.16

Compare Source

• Applied updated prettier formating rules

v6.4.15

Compare Source

• Minor changes in header key casing

v6.4.14

Compare Source

• Disabled postinstall script

v6.4.13

Compare Source

• Fix normalizeHeaderKey method for single node messages

v6.4.12

Compare Source

• Better handling of attachment filenames that include quote symbols
• Includes all information from the oath2 error response in the error message (Normal Gaussian) [1787f22]

v6.4.11

Compare Source

• Fixed escape sequence handling in address parsing

v6.4.10

Compare Source

• Fixed RFC822 output for MailComposer when using invalid content-type value. Mostly relevant if message attachments have stragne content-type values set.

v6.4.8

Compare Source

v6.4.7

Compare Source

• Always set charset=utf-8 for Content-Type headers
• Catch error when using invalid crypto.sign input

v6.4.6

Compare Source

• fix: requeueAttempts=n should requeue n times (Patrick Malouin) [a27ed2f]

v6.4.5

Compare Source

v6.4.4

Compare Source

• Add options.forceAuth for SMTP (Patrick Malouin) [a27ed2f]

v6.4.3

Compare Source

• Added an option to specify max number of requeues when connection closes unexpectedly (Igor Sechyn) [8a927f5]

v6.4.2

Compare Source

• Fixed bug where array item was used with a potentially empty array

v6.4.1

Compare Source

• Updated README

v6.4.0

Compare Source

• Do not use auth if server does not advertise AUTH support [f419b09]
• add dns.CONNREFUSED (Hiroyuki Okada) [5c4c8ca]

v6.3.1

Compare Source

• Ignore "end" events because it might be "error" after it (dex4er) [72bade9]
• Set username and password on the connection proxy object correctly (UsamaAshraf) [250b1a8]
• Support more DNS errors (madarche) [2391aa4]

v6.3.0

Compare Source

• Added new option to pass a set of httpHeaders to be sent when fetching attachments. See PR #​1034

v6.2.1

Compare Source

• No changes. It is the same as 6.2.0 that was accidentally published as 6.2.1 to npm

v6.1.1

Compare Source

• Fixed regression bug with missing smtp authMethod property

v6.1.0

Compare Source

• Added new message property amp for providing AMP4EMAIL content

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request upgrades the nodemailer dependency to its latest major version, v7.0.7, primarily to mitigate a significant security vulnerability. The vulnerability involved improper parsing of email addresses, potentially causing emails to be misdirected. This update ensures more robust and secure email handling, while also incorporating other bug fixes and a breaking change related to AWS SES SDK support.

Highlights

• Dependency Update: The nodemailer package has been updated from ^6.0.0 to ^7.0.7.
• Security Fix: This update addresses a critical security vulnerability (GHSA-mm7p-fcc7-pg87) in nodemailer related to incorrect handling of quoted local-parts in email addresses, which could lead to email misrouting and data leakage.
• Major Version Upgrade: The update includes a major version bump to v7.0.0, which introduces breaking changes primarily around SESv2 SDK support, removing older SES SDK versions and related features.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates nodemailer to v7 to address a security vulnerability. While this is a necessary update, it's a major version bump. My review highlights a potential breaking change due to the use of the deprecated nodemailer-smtp-transport package, which may not be compatible with nodemailer v7. I've recommended refactoring the code to use nodemailer's built-in SMTP transport and removing the obsolete dependency. This is a critical step to ensure the application continues to function correctly after the update.

[gemini-code-assist]

While updating nodemailer to v7 is necessary for the security fix, this is a major version upgrade that might introduce breaking changes. The file compute/mailjet.js uses the nodemailer-smtp-transport package, which is deprecated and may not be compatible with nodemailer v7.

Since nodemailer v3, SMTP transport is built-in. You should refactor compute/mailjet.js to use the built-in transport and remove the nodemailer-smtp-transport dependency.

The current implementation in compute/mailjet.js is:

const mailer = require('nodemailer');
const smtp = require('nodemailer-smtp-transport');

// ...
const transport = mailer.createTransport(
  smtp({
    host: 'in.mailjet.com',
    port: 2525,
    // ...
  })
);

This should be changed to:

const mailer = require('nodemailer');

// ...
const transport = mailer.createTransport({
  host: 'in.mailjet.com',
  port: 2525,
  // ...
});

After refactoring the code, you should also remove nodemailer-smtp-transport from the dependencies in this file. Please also note that the tests in compute/test/mailjet.test.js mock both libraries and will not catch this potential integration issue.

[dpebot]

/gcbrun

[dpebot]

/gcbrun