From bf72833f05e33bc47784f48e489466c20d6e810d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 9 Oct 2025 12:36:15 +0800 Subject: [PATCH] chore: bump up nodemailer version to v7.0.7 [SECURITY] (#13704) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [nodemailer](https://nodemailer.com/) ([source](https://redirect.github.com/nodemailer/nodemailer)) | [`7.0.3` -> `7.0.7`](https://renovatebot.com/diffs/npm/nodemailer/7.0.3/7.0.7) | [![age](https://developer.mend.io/api/mc/badges/age/npm/nodemailer/7.0.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/nodemailer/7.0.3/7.0.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-mm7p-fcc7-pg87](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87) The email parsing library incorrectly handles quoted local-parts containing @​. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: `"xclow3n@gmail.com x"@​internal.domain` Using the following code to send mail ``` const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" ', to: "\"xclow3n@gmail.com x\"@​internal.domain", subject: "Hello from Nodemailer", text: "This is a test email sent using Gmail SMTP and Nodemailer!", }; transporter.sendMail(mailOptions, (error, info) => { if (error) { return console.log("Error: ", error); } console.log("Message sent: %s", info.messageId); }); (async () => { const parser = await import("@​sparser/email-address-parser"); const { EmailAddress, ParsingOptions } = parser.default; const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */); if (!parsed) { console.error("Invalid email address:", mailOptions.to); return; } console.log("Parsed email:", { address: `${parsed.localPart}@​${parsed.domain}`, local: parsed.localPart, domain: parsed.domain, }); })(); ``` Running the script and seeing how this mail is parsed according to RFC ``` Parsed email: { address: '"xclow3n@gmail.com x"@​internal.domain', local: '"xclow3n@gmail.com x"', domain: 'internal.domain' } ``` But the email is sent to `xclow3n@gmail.com` Image ### Impact: - Misdelivery / Data leakage: Email is sent to psres.net instead of test.com. - Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts. - Potential compliance issue: Violates RFC 5321/5322 parsing rules. - Domain based access control bypass in downstream applications using your library to send mails ### Recommendations - Fix parser to correctly treat quoted local-parts per RFC 5321/5322. - Add strict validation rejecting local-parts containing embedded @​ unless fully compliant with quoting. --- ### Release Notes
nodemailer/nodemailer (nodemailer) ### [`v7.0.7`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#707-2025-10-05) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.6...v7.0.7) ##### Bug Fixes - **addressparser:** Fixed addressparser handling of quoted nested email addresses ([1150d99](https://redirect.github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626)) - **dns:** add memory leak prevention for DNS cache ([0240d67](https://redirect.github.com/nodemailer/nodemailer/commit/0240d6795ded6d8008d102161a729f120b6d786a)) - **linter:** Updated eslint and created prettier formatting task ([df13b74](https://redirect.github.com/nodemailer/nodemailer/commit/df13b7487e368acded35e45d0887d23c89c9177a)) - refresh expired DNS cache on error ([#​1759](https://redirect.github.com/nodemailer/nodemailer/issues/1759)) ([ea0fc5a](https://redirect.github.com/nodemailer/nodemailer/commit/ea0fc5a6633a3546f4b00fcf2f428e9ca732cdb6)) - resolve linter errors in DNS cache tests ([3b8982c](https://redirect.github.com/nodemailer/nodemailer/commit/3b8982c1f24508089a8757b74039000a4498b158)) ### [`v7.0.6`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#706-2025-08-27) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.5...v7.0.6) ##### Bug Fixes - **encoder:** avoid silent data loss by properly flushing trailing base64 ([#​1747](https://redirect.github.com/nodemailer/nodemailer/issues/1747)) ([01ae76f](https://redirect.github.com/nodemailer/nodemailer/commit/01ae76f2cfe991c0c3fe80170f236da60531496b)) - handle multiple XOAUTH2 token requests correctly ([#​1754](https://redirect.github.com/nodemailer/nodemailer/issues/1754)) ([dbe0028](https://redirect.github.com/nodemailer/nodemailer/commit/dbe00286351cddf012726a41a96ae613d30a34ee)) - ReDoS vulnerability in parseDataURI and \_processDataUrl ([#​1755](https://redirect.github.com/nodemailer/nodemailer/issues/1755)) ([90b3e24](https://redirect.github.com/nodemailer/nodemailer/commit/90b3e24d23929ebf9f4e16261049b40ee4055a39)) ### [`v7.0.5`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#705-2025-07-07) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.4...v7.0.5) ##### Bug Fixes - updated well known delivery service list ([fa2724b](https://redirect.github.com/nodemailer/nodemailer/commit/fa2724b337eb8d8fdcdd788fe903980b061316b8)) ### [`v7.0.4`](https://redirect.github.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#704-2025-06-29) [Compare Source](https://redirect.github.com/nodemailer/nodemailer/compare/v7.0.3...v7.0.4) ##### Bug Fixes - **pools:** Emit 'clear' once transporter is idle and all connections are closed ([839e286](https://redirect.github.com/nodemailer/nodemailer/commit/839e28634c9a93ae4321f399a8c893bf487a09fa)) - **smtp-connection:** jsdoc public annotation for socket ([#​1741](https://redirect.github.com/nodemailer/nodemailer/issues/1741)) ([c45c84f](https://redirect.github.com/nodemailer/nodemailer/commit/c45c84fe9b8e2ec5e0615ab02d4197473911ab3e)) - **well-known-services:** Added AliyunQiye ([bb9e6da](https://redirect.github.com/nodemailer/nodemailer/commit/bb9e6daffb632d7d8f969359859f88a138de3a48))
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 85087babb9..2ddd7f8c75 100644 --- a/yarn.lock +++ b/yarn.lock @@ -28414,9 +28414,9 @@ __metadata: linkType: hard "nodemailer@npm:^7.0.0": - version: 7.0.3 - resolution: "nodemailer@npm:7.0.3" - checksum: 10/d51e9b30753c982c35cf77839f3b7c1f138eb3fb5607c34f724ddc32360e56c3d631ff5b4eba5491f1f8805b428b945850441b4bd893bd2283c55be615f020c5 + version: 7.0.9 + resolution: "nodemailer@npm:7.0.9" + checksum: 10/88883c58afe356d2b4c24b1e976c04857e8a7a7145e1752dab69072900b0cc2e3daa0964a08c653e692fb64382453e1cfcee3d863828844c8d6f6239727b9023 languageName: node linkType: hard