Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency nodemailer to v6 [SECURITY] #144

Merged
merged 1 commit into from
Oct 14, 2022

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented May 15, 2021

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
nodemailer (source) ^4.6.7 -> ^6.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-23400

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.


Release Notes

nodemailer/nodemailer

v6.6.1

Compare Source

  • Fixed address formatting issue where newlines in an email address, if provided via address object, were not properly removed. Reported by tmazeika (#​1289)

v6.6.0

Compare Source

  • Added new option newline for MailComposer
  • aws ses connection verification (Ognjen Jevremovic)

v6.5.0

Compare Source

  • Pass through textEncoding to subnodes
  • Added support for AWS SES v3 SDK
  • Fixed tests

v6.4.18

Compare Source

  • Updated README

v6.4.17

Compare Source

  • Allow mixing attachments with caendar alternatives

v6.4.16

Compare Source

  • Applied updated prettier formating rules

v6.4.15

Compare Source

  • Minor changes in header key casing

v6.4.14

Compare Source

  • Disabled postinstall script

v6.4.13

Compare Source

  • Fix normalizeHeaderKey method for single node messages

v6.4.12

Compare Source

  • Better handling of attachment filenames that include quote symbols
  • Includes all information from the oath2 error response in the error message (Normal Gaussian) [1787f22]

v6.4.11

Compare Source

  • Fixed escape sequence handling in address parsing

v6.4.10

Compare Source

  • Fixed RFC822 output for MailComposer when using invalid content-type value. Mostly relevant if message attachments have stragne content-type values set.

v6.4.8

Compare Source

v6.4.7

Compare Source

  • Always set charset=utf-8 for Content-Type headers
  • Catch error when using invalid crypto.sign input

v6.4.6

Compare Source

  • fix: requeueAttempts=n should requeue n times (Patrick Malouin) [a27ed2f]

v6.4.5

Compare Source

v6.4.4

Compare Source

  • Add options.forceAuth for SMTP (Patrick Malouin) [a27ed2f]

v6.4.3

Compare Source

  • Added an option to specify max number of requeues when connection closes unexpectedly (Igor Sechyn) [8a927f5]

v6.4.2

Compare Source

  • Fixed bug where array item was used with a potentially empty array

v6.4.1

Compare Source

  • Updated README

v6.4.0

Compare Source

  • Do not use auth if server does not advertise AUTH support [f419b09]
  • add dns.CONNREFUSED (Hiroyuki Okada) [5c4c8ca]

v6.3.1

Compare Source

  • Ignore "end" events because it might be "error" after it (dex4er) [72bade9]
  • Set username and password on the connection proxy object correctly (UsamaAshraf) [250b1a8]
  • Support more DNS errors (madarche) [2391aa4]

v6.3.0

Compare Source

  • Added new option to pass a set of httpHeaders to be sent when fetching attachments. See PR #​1034

v6.2.1

Compare Source

  • No changes. It is the same as 6.2.0 that was accidentally published as 6.2.1 to npm

v6.1.1

Compare Source

  • Fixed regression bug with missing smtp authMethod property

v6.1.0

Compare Source

  • Added new message property amp for providing AMP4EMAIL content

v6.0.0

Compare Source

  • SMTPConnection: use removeListener instead of removeAllListeners (xr0master) [ddc4af1]
    Using removeListener should fix memory leak with Node.js streams

v5.1.1

Compare Source

  • Added missing option argument for custom auth

v5.1.0

Compare Source

  • Official support for custom authentication methods and examples (examples/custom-auth-async.js and examples/custom-auth-cb.js)

v5.0.1

Compare Source

  • Fixed regression error to support Node versions lower than 6.11
  • Added expiremental custom authentication support

v5.0.0

Compare Source

  • Start using dns.resolve() instead of dns.lookup() for resolving SMTP hostnames. Might be breaking change on some environments so upgrade with care
  • Show more logs for renewing OAuth2 tokens, previously it was not possible to see what actually failed

v4.7.0

Compare Source

  • Cleaned up List-* header generation
  • Fixed 'full' return option for DSN (klaronix) [23b93a3]
  • Support promises for mailcomposer.build()

v4.6.8

Compare Source

  • Use first IP address from DNS resolution when using a proxy (Limbozz) [d4ca847]
  • Return raw email from SES transport (gabegorelick) [3aa0896]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@younes200 younes200 merged commit 1ab88ef into main Oct 14, 2022
@renovate renovate bot deleted the renovate/npm-nodemailer-vulnerability branch October 14, 2022 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants