chore: bump up nodemailer version to v7.0.7 [SECURITY] (#13704)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [nodemailer](https://nodemailer.com/)
([source](https://redirect.github.com/nodemailer/nodemailer)) | [`7.0.3`
-> `7.0.7`](https://renovatebot.com/diffs/npm/nodemailer/7.0.3/7.0.7) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/nodemailer/7.0.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/nodemailer/7.0.3/7.0.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[GHSA-mm7p-fcc7-pg87](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87)

The email parsing library incorrectly handles quoted local-parts
containing @​. This leads to misrouting of email recipients, where
the parser extracts and routes to an unintended domain instead of the
RFC-compliant target.

Payload: `"xclow3n@gmail.com x"@​internal.domain`
Using the following code to send mail
```
const nodemailer = require("nodemailer");

let transporter = nodemailer.createTransport({
  service: "gmail",
  auth: {
    user: "",
    pass: "",
  },
});

let mailOptions = {
  from: '"Test Sender" <your_email@gmail.com>', 
  to: "\"xclow3n@gmail.com x\"@&#8203;internal.domain",
  subject: "Hello from Nodemailer",
  text: "This is a test email sent using Gmail SMTP and Nodemailer!",
};

transporter.sendMail(mailOptions, (error, info) => {
  if (error) {
    return console.log("Error: ", error);
  }
  console.log("Message sent: %s", info.messageId);

});

(async () => {
  const parser = await import("@&#8203;sparser/email-address-parser");
  const { EmailAddress, ParsingOptions } = parser.default;
  const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);

  if (!parsed) {
    console.error("Invalid email address:", mailOptions.to);
    return;
  }

  console.log("Parsed email:", {
    address: `${parsed.localPart}@&#8203;${parsed.domain}`,
    local: parsed.localPart,
    domain: parsed.domain,
  });
})();
```

Running the script and seeing how this mail is parsed according to RFC

```
Parsed email: {
  address: '"xclow3n@gmail.com x"@&#8203;internal.domain',
  local: '"xclow3n@gmail.com x"',
  domain: 'internal.domain'
}
```

But the email is sent to `xclow3n@gmail.com`

<img width="2128" height="439" alt="Image"
src="https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d"
/>

### Impact:

- Misdelivery / Data leakage: Email is sent to psres.net instead of
test.com.

- Filter evasion: Logs and anti-spam systems may be bypassed by hiding
recipients inside quoted local-parts.

-    Potential compliance issue: Violates RFC 5321/5322 parsing rules.

- Domain based access control bypass in downstream applications using
your library to send mails

### Recommendations

-    Fix parser to correctly treat quoted local-parts per RFC 5321/5322.

- Add strict validation rejecting local-parts containing embedded
@&#8203; unless fully compliant with quoting.

---

### Release Notes

<details>
<summary>nodemailer/nodemailer (nodemailer)</summary>

###
[`v7.0.7`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#707-2025-10-05)

[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.6...v7.0.7)

##### Bug Fixes

- **addressparser:** Fixed addressparser handling of quoted nested email
addresses
([1150d99](https://redirect.github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626))
- **dns:** add memory leak prevention for DNS cache
([0240d67](https://redirect.github.com/nodemailer/nodemailer/commit/0240d6795ded6d8008d102161a729f120b6d786a))
- **linter:** Updated eslint and created prettier formatting task
([df13b74](https://redirect.github.com/nodemailer/nodemailer/commit/df13b7487e368acded35e45d0887d23c89c9177a))
- refresh expired DNS cache on error
([#&#8203;1759](https://redirect.github.com/nodemailer/nodemailer/issues/1759))
([ea0fc5a](https://redirect.github.com/nodemailer/nodemailer/commit/ea0fc5a6633a3546f4b00fcf2f428e9ca732cdb6))
- resolve linter errors in DNS cache tests
([3b8982c](https://redirect.github.com/nodemailer/nodemailer/commit/3b8982c1f24508089a8757b74039000a4498b158))

###
[`v7.0.6`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#706-2025-08-27)

[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.5...v7.0.6)

##### Bug Fixes

- **encoder:** avoid silent data loss by properly flushing trailing
base64
([#&#8203;1747](https://redirect.github.com/nodemailer/nodemailer/issues/1747))
([01ae76f](https://redirect.github.com/nodemailer/nodemailer/commit/01ae76f2cfe991c0c3fe80170f236da60531496b))
- handle multiple XOAUTH2 token requests correctly
([#&#8203;1754](https://redirect.github.com/nodemailer/nodemailer/issues/1754))
([dbe0028](https://redirect.github.com/nodemailer/nodemailer/commit/dbe00286351cddf012726a41a96ae613d30a34ee))
- ReDoS vulnerability in parseDataURI and \_processDataUrl
([#&#8203;1755](https://redirect.github.com/nodemailer/nodemailer/issues/1755))
([90b3e24](https://redirect.github.com/nodemailer/nodemailer/commit/90b3e24d23929ebf9f4e16261049b40ee4055a39))

###
[`v7.0.5`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#705-2025-07-07)

[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.4...v7.0.5)

##### Bug Fixes

- updated well known delivery service list
([fa2724b](https://redirect.github.com/nodemailer/nodemailer/commit/fa2724b337eb8d8fdcdd788fe903980b061316b8))

###
[`v7.0.4`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#704-2025-06-29)

[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.3...v7.0.4)

##### Bug Fixes

- **pools:** Emit 'clear' once transporter is idle and all connections
are closed
([839e286](https://redirect.github.com/nodemailer/nodemailer/commit/839e28634c9a93ae4321f399a8c893bf487a09fa))
- **smtp-connection:** jsdoc public annotation for socket
([#&#8203;1741](https://redirect.github.com/nodemailer/nodemailer/issues/1741))
([c45c84f](https://redirect.github.com/nodemailer/nodemailer/commit/c45c84fe9b8e2ec5e0615ab02d4197473911ab3e))
- **well-known-services:** Added AliyunQiye
([bb9e6da](https://redirect.github.com/nodemailer/nodemailer/commit/bb9e6daffb632d7d8f969359859f88a138de3a48))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQxLjEzMS45IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
renovate[bot]
2025-10-09 12:36:15 +08:00
committed by GitHub
parent 96b3de8ce7
commit bf72833f05
+3 -3
View File
@@ -28414,9 +28414,9 @@ __metadata:
linkType: hard
"nodemailer@npm:^7.0.0":
version: 7.0.3
resolution: "nodemailer@npm:7.0.3"
checksum: 10/d51e9b30753c982c35cf77839f3b7c1f138eb3fb5607c34f724ddc32360e56c3d631ff5b4eba5491f1f8805b428b945850441b4bd893bd2283c55be615f020c5
version: 7.0.9
resolution: "nodemailer@npm:7.0.9"
checksum: 10/88883c58afe356d2b4c24b1e976c04857e8a7a7145e1752dab69072900b0cc2e3daa0964a08c653e692fb64382453e1cfcee3d863828844c8d6f6239727b9023
languageName: node
linkType: hard