chore(deps): bump nodemailer minimum version to 8.0.5 (#16664)

jacobsfletch · abarani · web-flow · commit efa4afe6f764 · 2026-05-18T15:33:53.000-04:00
Supersedes #16501. Related: #16651. Bumps `nodemailer` to `^8.0.5` and `@types/nodemailer` to `^8.0.0` throughout the monorepo. The `nodemailer@7.0.12` package has known advisories that are fixed in >= 8.0.5. - GHSA-vvjj-xcjg-gr5g - GHSA-c7w3-x93f-qmm8 Note: `nodemailer` v8 widened the `Mail.Options['from']` type to also accept an array. This is considered a breaking change in Payload's `SendEmailOptions` type, if a project code relies on the previous shape. For backwards compatibility, we pin `SendEmailOptions['from']` back to v7's `string | Address` shape, then normalize this at runtime, so email adapters and consumer code stay source-compatible. --- - To see the specific tasks where the Asana app for GitHub is being used, see below: - https://app.asana.com/0/0/1214892618463672 --------- Co-authored-by: Andrea Barani <andrea.barani@vubai.com>
diff --git a/packages/email-nodemailer/package.json b/packages/email-nodemailer/package.json
@@ -42,10 +42,10 @@
     "lint:fix": "eslint . --fix"
   },
   "dependencies": {
-    "nodemailer": "7.0.12"
+    "nodemailer": "^8.0.5"
   },
   "devDependencies": {
-    "@types/nodemailer": "7.0.2",
+    "@types/nodemailer": "^8.0.0",
     "payload": "workspace:*"
   },
   "peerDependencies": {
diff --git a/packages/payload-cloud/package.json b/packages/payload-cloud/package.json
@@ -48,10 +48,10 @@
     "@aws-sdk/lib-storage": "^3.614.0",
     "@payloadcms/email-nodemailer": "workspace:*",
     "amazon-cognito-identity-js": "^6.1.2",
-    "nodemailer": "7.0.12"
+    "nodemailer": "^8.0.5"
   },
   "devDependencies": {
-    "@types/nodemailer": "7.0.2",
+    "@types/nodemailer": "^8.0.0",
     "payload": "workspace:*"
   },
   "peerDependencies": {
diff --git a/packages/payload/package.json b/packages/payload/package.json
@@ -137,7 +137,7 @@
     "@payloadcms/eslint-config": "workspace:*",
     "@types/json-schema": "7.0.15",
     "@types/minimist": "1.2.2",
-    "@types/nodemailer": "7.0.2",
+    "@types/nodemailer": "^8.0.0",
     "@types/pluralize": "0.0.33",
     "@types/range-parser": "1.2.7",
     "@types/ws": "^8.5.10",
diff --git a/packages/payload/src/email/normalizeSendEmailOptions.ts b/packages/payload/src/email/normalizeSendEmailOptions.ts
@@ -0,0 +1,22 @@
+import type { Address } from 'nodemailer/lib/mailer'
+
+/**
+ * @todo: Remove in v4.
+ *
+ * This is a runtime guard to handle the breaking change in nodemailer v8.
+ *
+ * The `from` property is intentionally narrowed back to nodemailer 7's shape.
+ * Nodemailer v8 (security patch) widened it to also accept an array of addresses (breaking change).
+ * For backwards compatibility, we normalize that from an array back to a single address at runtime.
+ */
+export function normalizeSendEmailOptions<T extends { from?: unknown }>(message: T): T {
+  if (!Array.isArray(message.from)) {
+    return message
+  }
+
+  const first = (message.from as Array<Address | string>)[0]
+  return {
+    ...message,
+    from: typeof first === 'string' || (first && typeof first === 'object') ? first : undefined,
+  } as { from?: Address | string } & T
+}
diff --git a/packages/payload/src/email/types.ts b/packages/payload/src/email/types.ts
@@ -1,4 +1,5 @@
 import type { SendMailOptions as NodemailerSendMailOptions } from 'nodemailer'
+import type { Address } from 'nodemailer/lib/mailer'
 
 import type { Payload } from '../types/index.js'
 
@@ -7,9 +8,15 @@ type Prettify<T> = {
 } & NonNullable<unknown>
 
 /**
- * Options for sending an email. Allows access to the PayloadRequest object
+ * Options for sending an email. Allows access to the PayloadRequest object.
+ *
+ * @todo: Remove in v4. See `normalizeSendEmailOptions` for details.
  */
-export type SendEmailOptions = Prettify<NodemailerSendMailOptions>
+export type SendEmailOptions = Prettify<
+  {
+    from?: Address | string
+  } & Omit<NodemailerSendMailOptions, 'from'>
+>
 
 /**
  * Email adapter after it has been initialized. This is used internally by Payload.
diff --git a/packages/payload/src/index.ts b/packages/payload/src/index.ts
@@ -141,6 +141,7 @@ import {
   type CountVersionsOptions,
 } from './collections/operations/local/countVersions.js'
 import { consoleEmailAdapter } from './email/consoleEmailAdapter.js'
+import { normalizeSendEmailOptions } from './email/normalizeSendEmailOptions.js'
 import { fieldAffectsData, type FlattenedBlock } from './fields/config/types.js'
 import { getJobsLocalAPI } from './queues/localAPI.js'
 import { _internal_jobSystemGlobals } from './queues/utilities/getCurrentDate.js'
@@ -953,7 +954,12 @@ export class BasePayload {
       }
     }
 
-    this.sendEmail = this.email['sendEmail']
+    /**
+     * @todo: Remove in v4.
+     * See `normalizeSendEmailOptions` for details.
+     */
+    const adapterSendEmail = this.email['sendEmail']
+    this.sendEmail = (message) => adapterSendEmail(normalizeSendEmailOptions(message))
 
     serverInitTelemetry(this)
 
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/test/package.json b/test/package.json
@@ -99,7 +99,7 @@
     "jwt-decode": "4.0.0",
     "mongoose": "8.15.1",
     "next": "16.2.6",
-    "nodemailer": "8.0.4",
+    "nodemailer": "^8.0.5",
     "object-to-formdata": "4.5.1",
     "payload": "workspace:*",
     "pg": "8.16.3",
