This repository has been archived by the owner on Nov 26, 2024. It is now read-only.

Update dependency nodemailer to v6 [SECURITY] #35

Open

renovate wants to merge 1 commit into master from renovate/npm-nodemailer-vulnerability

renovate bot commented Feb 3, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nodemailer (source)	`^4.6.7` -> `^6.0.0`

GitHub Vulnerability Alerts

CVE-2020-7769

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

CVE-2021-23400

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Release Notes

nodemailer/nodemailer (nodemailer)

`v6.6.1`

Fixed address formatting issue where newlines in an email address, if provided via address object, were not properly removed. Reported by tmazeika (#1289)

`v6.6.0`

Added new option newline for MailComposer
aws ses connection verification (Ognjen Jevremovic)

`v6.5.0`

Pass through textEncoding to subnodes
Added support for AWS SES v3 SDK
Fixed tests

`v6.4.18`

Updated README

`v6.4.17`

Allow mixing attachments with caendar alternatives

`v6.4.16`

Applied updated prettier formating rules

`v6.4.15`

Minor changes in header key casing

`v6.4.14`

Disabled postinstall script

`v6.4.13`

Fix normalizeHeaderKey method for single node messages

`v6.4.12`

Better handling of attachment filenames that include quote symbols
Includes all information from the oath2 error response in the error message (Normal Gaussian) [1787f22]

`v6.4.11`

Fixed escape sequence handling in address parsing

`v6.4.10`

Fixed RFC822 output for MailComposer when using invalid content-type value. Mostly relevant if message attachments have stragne content-type values set.

`v6.4.8`

`v6.4.7`

Always set charset=utf-8 for Content-Type headers
Catch error when using invalid crypto.sign input

`v6.4.6`

fix: requeueAttempts=n should requeue n times (Patrick Malouin) [a27ed2f]

`v6.4.5`

`v6.4.4`

Add options.forceAuth for SMTP (Patrick Malouin) [a27ed2f]

`v6.4.3`

Added an option to specify max number of requeues when connection closes unexpectedly (Igor Sechyn) [8a927f5]

`v6.4.2`

Fixed bug where array item was used with a potentially empty array

`v6.4.1`

Updated README

`v6.4.0`

Do not use auth if server does not advertise AUTH support [f419b09]
add dns.CONNREFUSED (Hiroyuki Okada) [5c4c8ca]

`v6.3.1`

Ignore "end" events because it might be "error" after it (dex4er) [72bade9]
Set username and password on the connection proxy object correctly (UsamaAshraf) [250b1a8]
Support more DNS errors (madarche) [2391aa4]

`v6.3.0`

Added new option to pass a set of httpHeaders to be sent when fetching attachments. See PR #1034

`v6.2.1`

No changes. It is the same as 6.2.0 that was accidentally published as 6.2.1 to npm

`v6.1.1`

Fixed regression bug with missing smtp authMethod property

`v6.1.0`

Added new message property amp for providing AMP4EMAIL content

`v6.0.0`

SMTPConnection: use removeListener instead of removeAllListeners (xr0master) [ddc4af1]
Using removeListener should fix memory leak with Node.js streams

`v5.1.1`

Added missing option argument for custom auth

`v5.1.0`

Official support for custom authentication methods and examples (examples/custom-auth-async.js and examples/custom-auth-cb.js)

`v5.0.1`

Fixed regression error to support Node versions lower than 6.11
Added expiremental custom authentication support

`v5.0.0`

Start using dns.resolve() instead of dns.lookup() for resolving SMTP hostnames. Might be breaking change on some environments so upgrade with care
Show more logs for renewing OAuth2 tokens, previously it was not possible to see what actually failed

`v4.7.0`

Cleaned up List-* header generation
Fixed 'full' return option for DSN (klaronix) [23b93a3]
Support promises for mailcomposer.build()

`v4.6.8`

Use first IP address from DNS resolution when using a proxy (Limbozz) [d4ca847]
Return raw email from SES transport (gabegorelick) [3aa0896]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency nodemailer to v6 [SECURITY]

35a000e

Author

renovate bot commented Feb 3, 2024

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/server/package-lock.json

npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/@celluloid%2fclient - Not found
npm ERR! 404 
npm ERR! 404  '@celluloid/client@^0.1.0' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'server'
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-02-03T01_54_22_666Z-debug.log

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet