chore(deps): update dependency nodemailer to v7 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nodemailer (source)	6.7.2 -> 7.0.7

GitHub Vulnerability Alerts

GHSA-mm7p-fcc7-pg87

The email parsing library incorrectly handles quoted local-parts containing @​. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.

Payload: "[email protected] x"@​internal.domain
Using the following code to send mail

const nodemailer = require("nodemailer");

let transporter = nodemailer.createTransport({
  service: "gmail",
  auth: {
    user: "",
    pass: "",
  },
});

let mailOptions = {
  from: '"Test Sender" <[email protected]>', 
  to: "\"[email protected] x\"@&#8203;internal.domain",
  subject: "Hello from Nodemailer",
  text: "This is a test email sent using Gmail SMTP and Nodemailer!",
};

transporter.sendMail(mailOptions, (error, info) => {
  if (error) {
    return console.log("Error: ", error);
  }
  console.log("Message sent: %s", info.messageId);

});

(async () => {
  const parser = await import("@&#8203;sparser/email-address-parser");
  const { EmailAddress, ParsingOptions } = parser.default;
  const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);

  if (!parsed) {
    console.error("Invalid email address:", mailOptions.to);
    return;
  }

  console.log("Parsed email:", {
    address: `${parsed.localPart}@&#8203;${parsed.domain}`,
    local: parsed.localPart,
    domain: parsed.domain,
  });
})();

Running the script and seeing how this mail is parsed according to RFC

Parsed email: {
  address: '"[email protected] x"@​internal.domain',
  local: '"[email protected] x"',
  domain: 'internal.domain'
}

But the email is sent to [email protected]

Impact:

• Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.

• Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.

• Potential compliance issue: Violates RFC 5321/5322 parsing rules.

• Domain based access control bypass in downstream applications using your library to send mails

Recommendations

• Fix parser to correctly treat quoted local-parts per RFC 5321/5322.

• Add strict validation rejecting local-parts containing embedded @​ unless fully compliant with quoting.

---

Release Notes

nodemailer/nodemailer (nodemailer)

v7.0.7

Compare Source

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#​1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

v7.0.6

Compare Source

Bug Fixes

• encoder: avoid silent data loss by properly flushing trailing base64 (#​1747) (01ae76f)
• handle multiple XOAUTH2 token requests correctly (#​1754) (dbe0028)
• ReDoS vulnerability in parseDataURI and _processDataUrl (#​1755) (90b3e24)

v7.0.5

Compare Source

Bug Fixes

• updated well known delivery service list (fa2724b)

v7.0.4

Compare Source

Bug Fixes

• pools: Emit 'clear' once transporter is idle and all connections are closed (839e286)
• smtp-connection: jsdoc public annotation for socket (#​1741) (c45c84f)
• well-known-services: Added AliyunQiye (bb9e6da)

v7.0.3

Compare Source

Bug Fixes

• attachments: Set the default transfer encoding for message/rfc822 attachments as '7bit' (007d5f3)

v7.0.2

Compare Source

Bug Fixes

• ses: Fixed structured from header (faa9a5e)

v7.0.1

Compare Source

Bug Fixes

• ses: Use formatted FromEmailAddress for SES emails (821cd09)

v7.0.0

Compare Source

⚠ BREAKING CHANGES

• SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features

Features

• SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features (15db667)

v6.10.1

Compare Source

Bug Fixes

• close correct socket (a18062c)

v6.10.0

Compare Source

Features

• services: add Seznam email service configuration (#​1695) (d1ae0a8)

Bug Fixes

• proxy: Set error and timeout errors for proxied sockets (aa0c99c)

v6.9.16

Compare Source

Bug Fixes

• addressparser: Correctly detect if user local part is attached to domain part (f2096c5)

v6.9.15

Compare Source

Bug Fixes

• Fix memory leak (#​1667) (baa28f6)
• mime: Added GeoJSON closes #​1637 (#​1665) (79b8293)

v6.9.14

Compare Source

Bug Fixes

• api: Added support for Ethereal authentication (56b2205)
• services.json: Add Email Services Provider Feishu Mail (CN) (#​1648) (e9e9ecc)
• services.json: update Mailtrap host and port in well known (#​1652) (fc2c9ea)
• well-known-services: Add Loopia in well known services (#​1655) (21a28a1)

v6.9.13

Compare Source

Bug Fixes

• tls: Ensure servername for SMTP (d66fdd3)

v6.9.12

Compare Source

Bug Fixes

• message-generation: Escape single quote in address names (4ae5fad)

v6.9.11

Compare Source

Bug Fixes

• headers: Ensure that Content-type is the bottom header (c7cf97e)

v6.9.10

Compare Source

Bug Fixes

• data-uri: Do not use regular expressions for parsing data URI schemes (12e65e9)
• data-uri: Moved all data-uri regexes to use the non-regex parseDataUri method (edd5dfe)

v6.9.9

Compare Source

Bug Fixes

• security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
• tests: Use native node test runner, added code coverage support, removed grunt (#​1604) (be45c1b)

v6.9.8

Compare Source

Bug Fixes

• punycode: do not use native punycode module (b4d0e0c)

v6.9.7

Compare Source

Bug Fixes

• customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #​1584) (41d482c)

v6.9.6

Compare Source

Bug Fixes

• inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
• tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)

v6.9.5

Compare Source

Bug Fixes

• license: Updated license year (da4744e)

v6.9.4

Compare Source

• Renamed SendinBlue to Brevo

v6.9.3

Compare Source

• Specified license identifier (was defined as MIT, actual value MIT-0)
• If SMTP server disconnects with a message, process it and include as part of the response error

v6.9.2

Compare Source

• Fix uncaught exception on invalid attachment content payload

v6.9.1

Compare Source

Bug Fixes

• addressparser: Correctly detect if user local part is attached to domain part (f2096c5)

v6.9.0

Compare Source

• Do not throw if failed to resolve IPv4 addresses
• Include EHLO extensions in the send response
• fix sendMail function: callback should be optional

v6.8.0

Compare Source

• Add DNS timeout (huksley)
• add dns.REFUSED (lucagianfelici)

v6.7.8

Compare Source

• Allow to use multiple Reply-To addresses

v6.7.7

Compare Source

• Resolver fixes

v6.7.6

Compare Source

v6.7.5

Compare Source

• No changes, pushing a new README to npmjs.org

v6.7.4

Compare Source

• Ensure compatibility with Node 18
• Replaced Travis with Github Actions

v6.7.3

Compare Source

• Typo fixes
• Added stale issue automation fir Github
• Add Infomaniak config to well known service (popod)
• Update Outlook/Hotmail host in well known services (popod)
• fix: DSN recipient gets ignored (KornKalle)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.