New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency nodemailer to v6 [SECURITY] #910

Open

renovate wants to merge 1 commit into master from renovate/npm-nodemailer-vulnerability

Contributor

renovate bot commented Feb 6, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nodemailer (source)	`^4.6.4` -> `^6.0.0`

GitHub Vulnerability Alerts

CVE-2020-7769

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

CVE-2021-23400

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Release Notes

nodemailer/nodemailer (nodemailer)

`v6.6.1`

Fixed address formatting issue where newlines in an email address, if provided via address object, were not properly removed. Reported by tmazeika (#1289)

`v6.6.0`

Added new option newline for MailComposer
aws ses connection verification (Ognjen Jevremovic)

`v6.5.0`

Pass through textEncoding to subnodes
Added support for AWS SES v3 SDK
Fixed tests

`v6.4.18`

Updated README

`v6.4.17`

Allow mixing attachments with caendar alternatives

`v6.4.16`

Applied updated prettier formating rules

`v6.4.15`

Minor changes in header key casing

`v6.4.14`

Disabled postinstall script

`v6.4.13`

Fix normalizeHeaderKey method for single node messages

`v6.4.12`

Better handling of attachment filenames that include quote symbols
Includes all information from the oath2 error response in the error message (Normal Gaussian) [1787f22]

`v6.4.11`

Fixed escape sequence handling in address parsing

`v6.4.10`

Fixed RFC822 output for MailComposer when using invalid content-type value. Mostly relevant if message attachments have stragne content-type values set.

`v6.4.8`

`v6.4.7`

Always set charset=utf-8 for Content-Type headers
Catch error when using invalid crypto.sign input

`v6.4.6`

fix: requeueAttempts=n should requeue n times (Patrick Malouin) [a27ed2f]

`v6.4.5`

`v6.4.4`

Add options.forceAuth for SMTP (Patrick Malouin) [a27ed2f]

`v6.4.3`

Added an option to specify max number of requeues when connection closes unexpectedly (Igor Sechyn) [8a927f5]

`v6.4.2`

Fixed bug where array item was used with a potentially empty array

`v6.4.1`

Updated README

`v6.4.0`

Do not use auth if server does not advertise AUTH support [f419b09]
add dns.CONNREFUSED (Hiroyuki Okada) [5c4c8ca]

`v6.3.1`

Ignore "end" events because it might be "error" after it (dex4er) [72bade9]
Set username and password on the connection proxy object correctly (UsamaAshraf) [250b1a8]
Support more DNS errors (madarche) [2391aa4]

`v6.3.0`

Added new option to pass a set of httpHeaders to be sent when fetching attachments. See PR #1034

`v6.2.1`

No changes. It is the same as 6.2.0 that was accidentally published as 6.2.1 to npm

`v6.1.1`

Fixed regression bug with missing smtp authMethod property

`v6.1.0`

Added new message property amp for providing AMP4EMAIL content

`v6.0.0`

SMTPConnection: use removeListener instead of removeAllListeners (xr0master) [ddc4af1]
Using removeListener should fix memory leak with Node.js streams

`v5.1.1`

Added missing option argument for custom auth

`v5.1.0`

Official support for custom authentication methods and examples (examples/custom-auth-async.js and examples/custom-auth-cb.js)

`v5.0.1`

Fixed regression error to support Node versions lower than 6.11
Added expiremental custom authentication support

`v5.0.0`

Start using dns.resolve() instead of dns.lookup() for resolving SMTP hostnames. Might be breaking change on some environments so upgrade with care
Show more logs for renewing OAuth2 tokens, previously it was not possible to see what actually failed

`v4.7.0`

Cleaned up List-* header generation
Fixed 'full' return option for DSN (klaronix) [23b93a3]
Support promises for mailcomposer.build()

`v4.6.8`

Use first IP address from DNS resolution when using a proxy (Limbozz) [d4ca847]
Return raw email from SES transport (gabegorelick) [3aa0896]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot changed the title ~~Update dependency nodemailer to v6 [SECURITY]~~ Update dependency nodemailer to v6 [SECURITY] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-nodemailer-vulnerability branch

April 3, 2024 13:25

renovate bot changed the title ~~Update dependency nodemailer to v6 [SECURITY] - autoclosed~~ Update dependency nodemailer to v6 [SECURITY]

renovate bot reopened this

renovate bot restored the renovate/npm-nodemailer-vulnerability branch

April 3, 2024 15:58


          Update dependency nodemailer to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 84733c5 to 7265617 Compare

April 3, 2024 15:59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet