NodeMailer creates critical severity vulnerabilities after install

[Galileoomega]

Describe the bug
I am trying to install this package under npm.
As said in the README I tried the both commands to install it but it always gives me 11 critical vulnerabilities.

To Reproduce
Steps to reproduce the behavior:

1. Create a new nestJS project: nest new
2. Install mailer using the commands:
   npm install --save @nestjs-modules/mailer nodemailer and npm install --save-dev @types/nodemailer
3. See error in the terminal.

Expected behavior
I expected no vulnerabilities with a blank nestJS project.

Error log

% npm install --save @nestjs-modules/mailer nodemailer
npm WARN deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

added 241 packages, and audited 1042 packages in 2s

165 packages are looking for funding
  run `npm fund` for details

11 critical severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

Package.json

{
  "name": "app-test",
  "version": "0.0.1",
  "description": "",
  "author": "",
  "private": true,
  "license": "UNLICENSED",
  "scripts": {
    "build": "nest build",
    "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\"",
    "start": "nest start",
    "start:dev": "nest start --watch",
    "start:debug": "nest start --debug --watch",
    "start:prod": "node dist/main",
    "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
    "test": "jest",
    "test:watch": "jest --watch",
    "test:cov": "jest --coverage",
    "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
    "test:e2e": "jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
    "@nestjs/common": "^10.0.0",
    "@nestjs/core": "^10.0.0",
    "@nestjs/platform-express": "^10.0.0",
    "reflect-metadata": "^0.1.13",
    "rxjs": "^7.8.1"
  },
  "devDependencies": {
    "@nestjs/cli": "^10.0.0",
    "@nestjs/schematics": "^10.0.0",
    "@nestjs/testing": "^10.0.0",
    "@types/express": "^4.17.17",
    "@types/jest": "^29.5.2",
    "@types/node": "^20.3.1",
    "@types/supertest": "^2.0.12",
    "@typescript-eslint/eslint-plugin": "^6.0.0",
    "@typescript-eslint/parser": "^6.0.0",
    "eslint": "^8.42.0",
    "eslint-config-prettier": "^9.0.0",
    "eslint-plugin-prettier": "^5.0.0",
    "jest": "^29.5.0",
    "prettier": "^3.0.0",
    "source-map-support": "^0.5.21",
    "supertest": "^6.3.3",
    "ts-jest": "^29.1.0",
    "ts-loader": "^9.4.3",
    "ts-node": "^10.9.1",
    "tsconfig-paths": "^4.2.0",
    "typescript": "^5.1.3"
  },
  "jest": {
    "moduleFileExtensions": [
      "js",
      "json",
      "ts"
    ],
    "rootDir": "src",
    "testRegex": ".*\\.spec\\.ts$",
    "transform": {
      "^.+\\.(t|j)s$": "ts-jest"
    },
    "collectCoverageFrom": [
      "**/*.(t|j)s"
    ],
    "coverageDirectory": "../coverage",
    "testEnvironment": "node"
  }
}

Desktop

• OS: macOS Ventura 13.5
• Hardware: MacBook Air M1 8GB
• Versions: npm@10.2.0, node@21.1.0, mailer@1.9.1

[Jonzubi]

Same here. Ended up using alternatives like Resend. It has a really nice free plan.

[gterras]

Workaround before release #1021 (comment)

[matt-tek]

got the same problem and using npm update doesn't fix it :(

[vygandas]

Same problem here... @juandav , maybe you can help us? 😅

[GreenFlag31]

Solution : Don't use this dependancy and directly work with nodemailer.

10 lines of code to send a mail.
https://medium.com/@boladebode/exploring-the-new-release-of-nest-js-version-10-and-the-migration-from-nest-modules-mailer-b80c574f89e6

[maisnamraju]

The package relies on inline-css which again relies on superagent-proxy and vm2 which has a vulernability.
You can check it here jonkemp/inline-css#126