chore(deps): bump nodemailer to 8.x to fix SMTP injection#60237
Merged
Conversation
Contributor
|
Reviews (1): Last reviewed commit: "chore(deps): bump nodemailer to 8.x to f..." | Re-trigger Greptile |
nodemailer 7.x has an SMTP command-injection advisory (GHSA-vvjj-xcjg-gr5g, CRLF in the EHLO/HELO transport name) and a command injection via unsanitized envelope.size (GHSA-c7w3-x93f-qmm8), both fixed only in nodemailer 8.x (8.0.4 / 8.0.5). nodemailer is a direct dependency (nodejs CDP email service), so bump nodejs/package.json to ^8.0.8 and @types/nodemailer to ^8.0.0 to match. 8.0.8 is the newest release old enough to clear the repo's minimumReleaseAge guard (8.0.9 was published ~20h ago); it already carries both SMTP fixes. The createTransport / sendMail / SendMailOptions usage is unchanged across the major (verified via tsc), so no code changes are needed. Split out from the main audit PR (#60023) since it is a semver-major bump, beyond that PR's in-range scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
robbie-c
force-pushed
the
claude/bump-nodemailer-8
branch
from
3c9760e to
ba1bf2c
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
Contributor
|
🎭 Playwright didn't run on this PR — your changes touch code that could affect E2E behavior, but Playwright is opt-in via label now to keep CI cost down. Add the Most PRs don't need this. Real regressions still get caught on master and fix-forward. |
Contributor
|
Size Change: 0 B Total Size: 80.2 MB ℹ️ View Unchanged
|
gantoine
approved these changes
May 27, 2026
Member
gantoine
left a comment
gantoine
left a comment
There was a problem hiding this comment.
any breaking changes between nodemailer 7 and 8?
Member
Author
|
I'm pretty convinced by the types bump working, we only use it for emails in dev/test (we use |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Standard caveat about how npm audit is broken, see https://overreacted.io/npm-audit-broken-by-design/
Let's bump nodemailer to a version that audit doesn't complain about
Claude code continues:
nodemailer@7.xcarries two SMTP command-injection advisories, both fixed only innodemailer@8.x:envelope.size(fixed 8.0.4)nodemaileris a direct dependency (the nodejs CDP email service), so unlike the transitive cases this is a plain manifest bump — but to a new major, which is why it was kept out of the main audit PR (#60023, in-range only).Changes
nodejs/package.json:nodemailer^7.0.5→^8.0.8, and@types/nodemailer^6.4.17→^8.0.0to match (nodemailer ships no bundled types).nodemailer@8.0.8: that's the latest version old enough to satisfy the repo'sminimumReleaseAge(3 days) guard —8.0.9was published ~20h ago and is held back — and it's ≥8.0.5 so it carries both fixes.The
createTransport/sendMail/SendMailOptionsusage innodejs/src/cdp/services/messaging/{email.service,helpers/maildev}.tsis unchanged across the 7→8 major, so no code changes are required.How did you test this code?
I am an agent (Claude Code), automated checks only:
pnpm audit: both nodemailer advisories cleared.pnpm install --frozen-lockfile: passes.nodejstsc --noEmit: no nodemailer-related errors (thecreateTransport/sendMail/SendMailOptionscall sites all typecheck against nodemailer 8 + @types 8). The only remaining errors are the pre-existing@posthog/hogvm/@posthog/cyclotron"not built locally" cascade, unchanged from themasterbaseline and unrelated to this bump.Publish to changelog?
no
Docs update
No docs changes needed.
🤖 Agent context
Authored by Claude Code (Claude Opus 4.7), agent-driven. Requires human review; do not self-merge.
Split out from the main audit PR (#60023) at the maintainer's request — that PR is in-range-only, and this is a semver-major bump. nodemailer being a direct dep means no override is involved: it's a manifest bump plus the matching
@types/nodemailermajor. Note8.0.9is intentionally not used (blocked byminimumReleaseAge);8.0.8is the newest mature release and already includes both SMTP fixes.