mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-12 15:46:29 +08:00
chore: bump up nodemailer version to v7.0.7 [SECURITY] (#13704)
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [nodemailer](https://nodemailer.com/)
([source](https://redirect.github.com/nodemailer/nodemailer)) | [`7.0.3`
-> `7.0.7`](https://renovatebot.com/diffs/npm/nodemailer/7.0.3/7.0.7) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[GHSA-mm7p-fcc7-pg87](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87)
The email parsing library incorrectly handles quoted local-parts
containing @​. This leads to misrouting of email recipients, where
the parser extracts and routes to an unintended domain instead of the
RFC-compliant target.
Payload: `"xclow3n@gmail.com x"@​internal.domain`
Using the following code to send mail
```
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
service: "gmail",
auth: {
user: "",
pass: "",
},
});
let mailOptions = {
from: '"Test Sender" <your_email@gmail.com>',
to: "\"xclow3n@gmail.com x\"@​internal.domain",
subject: "Hello from Nodemailer",
text: "This is a test email sent using Gmail SMTP and Nodemailer!",
};
transporter.sendMail(mailOptions, (error, info) => {
if (error) {
return console.log("Error: ", error);
}
console.log("Message sent: %s", info.messageId);
});
(async () => {
const parser = await import("@​sparser/email-address-parser");
const { EmailAddress, ParsingOptions } = parser.default;
const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);
if (!parsed) {
console.error("Invalid email address:", mailOptions.to);
return;
}
console.log("Parsed email:", {
address: `${parsed.localPart}@​${parsed.domain}`,
local: parsed.localPart,
domain: parsed.domain,
});
})();
```
Running the script and seeing how this mail is parsed according to RFC
```
Parsed email: {
address: '"xclow3n@gmail.com x"@​internal.domain',
local: '"xclow3n@gmail.com x"',
domain: 'internal.domain'
}
```
But the email is sent to `xclow3n@gmail.com`
<img width="2128" height="439" alt="Image"
src="https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d"
/>
### Impact:
- Misdelivery / Data leakage: Email is sent to psres.net instead of
test.com.
- Filter evasion: Logs and anti-spam systems may be bypassed by hiding
recipients inside quoted local-parts.
- Potential compliance issue: Violates RFC 5321/5322 parsing rules.
- Domain based access control bypass in downstream applications using
your library to send mails
### Recommendations
- Fix parser to correctly treat quoted local-parts per RFC 5321/5322.
- Add strict validation rejecting local-parts containing embedded
@​ unless fully compliant with quoting.
---
### Release Notes
<details>
<summary>nodemailer/nodemailer (nodemailer)</summary>
###
[`v7.0.7`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#707-2025-10-05)
[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.6...v7.0.7)
##### Bug Fixes
- **addressparser:** Fixed addressparser handling of quoted nested email
addresses
([1150d99](https://redirect.github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626))
- **dns:** add memory leak prevention for DNS cache
([0240d67](https://redirect.github.com/nodemailer/nodemailer/commit/0240d6795ded6d8008d102161a729f120b6d786a))
- **linter:** Updated eslint and created prettier formatting task
([df13b74](https://redirect.github.com/nodemailer/nodemailer/commit/df13b7487e368acded35e45d0887d23c89c9177a))
- refresh expired DNS cache on error
([#​1759](https://redirect.github.com/nodemailer/nodemailer/issues/1759))
([ea0fc5a](https://redirect.github.com/nodemailer/nodemailer/commit/ea0fc5a6633a3546f4b00fcf2f428e9ca732cdb6))
- resolve linter errors in DNS cache tests
([3b8982c](https://redirect.github.com/nodemailer/nodemailer/commit/3b8982c1f24508089a8757b74039000a4498b158))
###
[`v7.0.6`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#706-2025-08-27)
[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.5...v7.0.6)
##### Bug Fixes
- **encoder:** avoid silent data loss by properly flushing trailing
base64
([#​1747](https://redirect.github.com/nodemailer/nodemailer/issues/1747))
([01ae76f](https://redirect.github.com/nodemailer/nodemailer/commit/01ae76f2cfe991c0c3fe80170f236da60531496b))
- handle multiple XOAUTH2 token requests correctly
([#​1754](https://redirect.github.com/nodemailer/nodemailer/issues/1754))
([dbe0028](https://redirect.github.com/nodemailer/nodemailer/commit/dbe00286351cddf012726a41a96ae613d30a34ee))
- ReDoS vulnerability in parseDataURI and \_processDataUrl
([#​1755](https://redirect.github.com/nodemailer/nodemailer/issues/1755))
([90b3e24](https://redirect.github.com/nodemailer/nodemailer/commit/90b3e24d23929ebf9f4e16261049b40ee4055a39))
###
[`v7.0.5`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#705-2025-07-07)
[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.4...v7.0.5)
##### Bug Fixes
- updated well known delivery service list
([fa2724b](https://redirect.github.com/nodemailer/nodemailer/commit/fa2724b337eb8d8fdcdd788fe903980b061316b8))
###
[`v7.0.4`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#704-2025-06-29)
[Compare
Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.3...v7.0.4)
##### Bug Fixes
- **pools:** Emit 'clear' once transporter is idle and all connections
are closed
([839e286](https://redirect.github.com/nodemailer/nodemailer/commit/839e28634c9a93ae4321f399a8c893bf487a09fa))
- **smtp-connection:** jsdoc public annotation for socket
([#​1741](https://redirect.github.com/nodemailer/nodemailer/issues/1741))
([c45c84f](https://redirect.github.com/nodemailer/nodemailer/commit/c45c84fe9b8e2ec5e0615ab02d4197473911ab3e))
- **well-known-services:** Added AliyunQiye
([bb9e6da](https://redirect.github.com/nodemailer/nodemailer/commit/bb9e6daffb632d7d8f969359859f88a138de3a48))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQxLjEzMS45IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
@@ -28414,9 +28414,9 @@ __metadata:
|
||||
linkType: hard
|
||||
|
||||
"nodemailer@npm:^7.0.0":
|
||||
version: 7.0.3
|
||||
resolution: "nodemailer@npm:7.0.3"
|
||||
checksum: 10/d51e9b30753c982c35cf77839f3b7c1f138eb3fb5607c34f724ddc32360e56c3d631ff5b4eba5491f1f8805b428b945850441b4bd893bd2283c55be615f020c5
|
||||
version: 7.0.9
|
||||
resolution: "nodemailer@npm:7.0.9"
|
||||
checksum: 10/88883c58afe356d2b4c24b1e976c04857e8a7a7145e1752dab69072900b0cc2e3daa0964a08c653e692fb64382453e1cfcee3d863828844c8d6f6239727b9023
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
|
||||
Reference in New Issue
Block a user