Skip to content

fix: bump nodemailer to ^9.0.1 to resolve GHSA-p6gq-j5cr-w38f#51

Open
pddivine wants to merge 1 commit into
forwardemail:masterfrom
pddivine:fix/upgrade-nodemailer-9
Open

fix: bump nodemailer to ^9.0.1 to resolve GHSA-p6gq-j5cr-w38f#51
pddivine wants to merge 1 commit into
forwardemail:masterfrom
pddivine:fix/upgrade-nodemailer-9

Conversation

@pddivine

Copy link
Copy Markdown

Summary

Bumps nodemailer from ^8.0.4 to ^9.0.1 to resolve a high-severity advisory.

Vulnerability

GHSA-p6gq-j5cr-w38f (CVSS 7.1, high) — nodemailer <=9.0.0 allowed the message-level raw option to bypass disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message. Fixed in nodemailer 9.0.1.

Confirmed locally with npm audit:

Before After
1 high (nodemailer) nodemailer no longer flagged

9.x breaking-change assessment

The single breaking change in nodemailer 9.0.0 is that HTTPS requests fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate TLS certificates by default. preview-email uses nodemailer only via:

  • streamTransport: true in index.js to serialize a message to a buffer in-process, and
  • jsonTransport: true in the test suite.

Neither path fetches remote attachments, uses OAuth2, or proxies HTTPS, so the stricter TLS default has no behavioral impact here. No code changes are required.

The engines.node field is unaffected: nodemailer 9.x still declares node: >=6.0.0, well below this package's existing >=14.

Test plan

  • npm install — installs nodemailer 9.0.1
  • npm test — 8/8 tests pass (lint + ava)
  • npm audit — nodemailer no longer appears in the report

Nodemailer <=9.0.0 allowed the message-level `raw` option to bypass
`disableFileAccess`/`disableUrlAccess`, enabling arbitrary file read and
SSRF in the delivered message (CVSS 7.1, high). The fix landed in
nodemailer 9.0.1.

preview-email uses nodemailer only via `streamTransport` (in index.js)
and `jsonTransport` (in tests) and does not fetch remote attachments,
use OAuth2, or proxy HTTPS, so the 9.0.0 TLS-default breaking change is
not relevant here. The full test suite passes against 9.0.1 with no
code changes required.
@JoelGritter

Copy link
Copy Markdown

@titanism please review this, this impacts my work as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants