Skip to content

fix(deps): nodemailer 9 resolves 6 advisories#74

Merged
goetchstone merged 1 commit into
mainfrom
fix/nodemailer-9
Jun 19, 2026
Merged

fix(deps): nodemailer 9 resolves 6 advisories#74
goetchstone merged 1 commit into
mainfrom
fix/nodemailer-9

Conversation

@goetchstone

Copy link
Copy Markdown
Owner

What

Upgrades nodemailer 7 → 9, which patches all 6 nodemailer advisories (one high) that #72 had to allowlist. The scripts/audit-check.mjs allowlist shrinks to postcss only.

Why the overrides

@auth/core declares an optional nodemailer@^7 peer — only for next-auth's Email (magic-link) provider. We use the Credentials provider exclusively (server/auth/index.ts), so next-auth never loads nodemailer. A package.json overrides forces the whole tree to nodemailer 9, which:

  • resolves npm ci cleanly (override warnings only, no ERESOLVE failure), without --legacy-peer-deps;
  • is runtime-safe — the overridden code path is never executed.

@types/nodemailer bumped 7 → 8 (latest; covers our createTransport/sendMail/verify usage).

Verified (node:20 container)

  • npm ci — clean (override warnings only)
  • tsc --noEmit — clean
  • vitest49 passed
  • npm audit --omit=devno nodemailer advisories (only postcss moderate remains)
  • npm run build — exit 0

Supersedes Dependabot #73 (which failed npm ci on the peer-dep). Documented in CLAUDE.md + docs/DECISIONS.md.

🤖 Generated with Claude Code

All 6 nodemailer advisories (one high) are patched in 9. next-auth's
nodemailer peer is optional/unused (Credentials-only auth), so an
overrides forces the tree to 9; allowlist shrinks to postcss.
@goetchstone goetchstone merged commit d2f5f74 into main Jun 19, 2026
8 checks passed
@goetchstone goetchstone deleted the fix/nodemailer-9 branch June 19, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant