fix(deps): update dependency nodemailer to v7 [security] #4187

renovate-bot · 2025-10-07T23:11:02Z

This PR contains the following updates:

Package	Change	Age	Confidence
nodemailer (source)	`^6.0.0` -> `^7.0.0`

GitHub Vulnerability Alerts

GHSA-mm7p-fcc7-pg87

The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.

Payload: "[email protected] x"@internal.domain
Using the following code to send mail

const nodemailer = require("nodemailer");

let transporter = nodemailer.createTransport({
  service: "gmail",
  auth: {
    user: "",
    pass: "",
  },
});

let mailOptions = {
  from: '"Test Sender" <[email protected]>', 
  to: "\"[email protected] x\"@&#8203;internal.domain",
  subject: "Hello from Nodemailer",
  text: "This is a test email sent using Gmail SMTP and Nodemailer!",
};

transporter.sendMail(mailOptions, (error, info) => {
  if (error) {
    return console.log("Error: ", error);
  }
  console.log("Message sent: %s", info.messageId);

});

(async () => {
  const parser = await import("@&#8203;sparser/email-address-parser");
  const { EmailAddress, ParsingOptions } = parser.default;
  const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);

  if (!parsed) {
    console.error("Invalid email address:", mailOptions.to);
    return;
  }

  console.log("Parsed email:", {
    address: `${parsed.localPart}@&#8203;${parsed.domain}`,
    local: parsed.localPart,
    domain: parsed.domain,
  });
})();

Running the script and seeing how this mail is parsed according to RFC

Parsed email: {
  address: '"[email protected] x"@&#8203;internal.domain',
  local: '"[email protected] x"',
  domain: 'internal.domain'
}

But the email is sent to [email protected]

Impact:

Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.
Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.
Potential compliance issue: Violates RFC 5321/5322 parsing rules.
Domain based access control bypass in downstream applications using your library to send mails

Recommendations

Fix parser to correctly treat quoted local-parts per RFC 5321/5322.
Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.

Release Notes

nodemailer/nodemailer (nodemailer)

`v7.0.10`

Compare Source

Bug Fixes

Increase data URI size limit from 100KB to 50MB and preserve content type (28dbf3f)

`v7.0.9`

Compare Source

Bug Fixes

release: Trying to fix release proecess by upgrading Node version in runner (579fce4)

`v7.0.7`

Compare Source

Bug Fixes

addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
dns: add memory leak prevention for DNS cache (0240d67)
linter: Updated eslint and created prettier formatting task (df13b74)
refresh expired DNS cache on error (#1759) (ea0fc5a)
resolve linter errors in DNS cache tests (3b8982c)

`v7.0.6`

Compare Source

Bug Fixes

encoder: avoid silent data loss by properly flushing trailing base64 (#1747) (01ae76f)
handle multiple XOAUTH2 token requests correctly (#1754) (dbe0028)
ReDoS vulnerability in parseDataURI and _processDataUrl (#1755) (90b3e24)

`v7.0.5`

Compare Source

Bug Fixes

updated well known delivery service list (fa2724b)

`v7.0.4`

Compare Source

Bug Fixes

pools: Emit 'clear' once transporter is idle and all connections are closed (839e286)
smtp-connection: jsdoc public annotation for socket (#1741) (c45c84f)
well-known-services: Added AliyunQiye (bb9e6da)

`v7.0.3`

Compare Source

Bug Fixes

attachments: Set the default transfer encoding for message/rfc822 attachments as '7bit' (007d5f3)

`v7.0.2`

Compare Source

Bug Fixes

ses: Fixed structured from header (faa9a5e)

`v7.0.1`

Compare Source

Bug Fixes

ses: Use formatted FromEmailAddress for SES emails (821cd09)

`v7.0.0`

Compare Source

⚠ BREAKING CHANGES

SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features

Features

SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features (15db667)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

dpebot · 2025-10-07T23:11:15Z

/gcbrun

gemini-code-assist · 2025-10-07T23:11:19Z

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request upgrades the nodemailer dependency to its latest major version, v7.0.7, primarily to mitigate a significant security vulnerability. The vulnerability involved improper parsing of email addresses, potentially causing emails to be misdirected. This update ensures more robust and secure email handling, while also incorporating other bug fixes and a breaking change related to AWS SES SDK support.

Highlights

Dependency Update: The nodemailer package has been updated from ^6.0.0 to ^7.0.7.
Security Fix: This update addresses a critical security vulnerability (GHSA-mm7p-fcc7-pg87) in nodemailer related to incorrect handling of quoted local-parts in email addresses, which could lead to email misrouting and data leakage.
Major Version Upgrade: The update includes a major version bump to v7.0.0, which introduces breaking changes primarily around SESv2 SDK support, removing older SES SDK versions and related features.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request updates nodemailer to v7 to address a security vulnerability. While this is a necessary update, it's a major version bump. My review highlights a potential breaking change due to the use of the deprecated nodemailer-smtp-transport package, which may not be compatible with nodemailer v7. I've recommended refactoring the code to use nodemailer's built-in SMTP transport and removing the obsolete dependency. This is a critical step to ensure the application continues to function correctly after the update.

gemini-code-assist · 2025-10-07T23:12:14Z

compute/package.json

    "@google-cloud/compute": "^4.0.0",
    "@sendgrid/mail": "^8.0.0",
-    "nodemailer": "^6.0.0",
+    "nodemailer": "^7.0.7",


While updating nodemailer to v7 is necessary for the security fix, this is a major version upgrade that might introduce breaking changes. The file compute/mailjet.js uses the nodemailer-smtp-transport package, which is deprecated and may not be compatible with nodemailer v7.

Since nodemailer v3, SMTP transport is built-in. You should refactor compute/mailjet.js to use the built-in transport and remove the nodemailer-smtp-transport dependency.

The current implementation in compute/mailjet.js is:

const mailer = require('nodemailer'); const smtp = require('nodemailer-smtp-transport'); // ... const transport = mailer.createTransport( smtp({ host: 'in.mailjet.com', port: 2525, // ... }) );

This should be changed to:

const mailer = require('nodemailer'); // ... const transport = mailer.createTransport({ host: 'in.mailjet.com', port: 2525, // ... });

After refactoring the code, you should also remove nodemailer-smtp-transport from the dependencies in this file. Please also note that the tests in compute/test/mailjet.test.js mock both libraries and will not catch this potential integration issue.

dpebot · 2025-10-09T12:38:14Z

/gcbrun

dpebot · 2025-10-09T20:02:47Z

/gcbrun

dpebot · 2025-10-21T18:46:47Z

/gcbrun

dpebot · 2025-10-22T08:47:41Z

/gcbrun

dpebot · 2025-10-22T21:06:28Z

/gcbrun

dpebot · 2025-10-22T21:21:09Z

/gcbrun

dpebot · 2025-10-23T04:54:01Z

/gcbrun

dpebot · 2025-10-27T15:28:01Z

/gcbrun

dpebot · 2025-10-27T15:30:23Z

/gcbrun

dpebot · 2025-10-28T11:41:12Z

/gcbrun

dpebot · 2025-10-28T21:50:20Z

/gcbrun

dpebot · 2025-11-03T15:17:16Z

/gcbrun

dpebot · 2025-11-03T21:01:21Z

/gcbrun

dpebot · 2025-11-04T06:09:43Z

/gcbrun

dpebot · 2025-11-04T06:12:43Z

/gcbrun

dpebot · 2025-11-10T23:11:42Z

/gcbrun

dpebot · 2025-11-11T01:00:10Z

/gcbrun

renovate-bot requested a review from a team as a code owner October 7, 2025 23:11

forking-renovate bot added the major label Oct 7, 2025

renovate-bot requested a review from a team as a code owner October 7, 2025 23:11

renovate-bot added the major label Oct 7, 2025

product-auto-label bot added samples Issues that are directly related to samples. api: compute Issues related to the Compute Engine API. labels Oct 7, 2025

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. actions:force-run labels Oct 7, 2025

gemini-code-assist bot reviewed Oct 7, 2025

View reviewed changes

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from dc7d631 to 6298cd7 Compare October 9, 2025 12:38

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 6298cd7 to 3e771df Compare October 9, 2025 20:02

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 3e771df to bee0702 Compare October 21, 2025 18:46

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from bee0702 to 87afc68 Compare October 22, 2025 08:47

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 87afc68 to 570c798 Compare October 22, 2025 21:06

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 570c798 to f0c61a0 Compare October 22, 2025 21:21

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from f0c61a0 to e804eda Compare October 23, 2025 04:53

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from e804eda to 460d670 Compare October 27, 2025 15:27

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 460d670 to 144bb27 Compare October 27, 2025 15:30

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 144bb27 to 02733df Compare October 28, 2025 11:41

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 02733df to 2b1e223 Compare October 28, 2025 21:50

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 2b1e223 to 4cf462b Compare November 3, 2025 15:17

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 4cf462b to aced3e5 Compare November 3, 2025 21:01

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from aced3e5 to d1f6850 Compare November 4, 2025 06:09

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from d1f6850 to f0532ff Compare November 4, 2025 06:12

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from f0532ff to c0c0e1b Compare November 10, 2025 23:11

fix(deps): update dependency nodemailer to v7 [security]

cafbf4d

renovate-bot force-pushed the renovate/npm-nodemailer-vulnerability branch from c0c0e1b to cafbf4d Compare November 11, 2025 01:00

fix(deps): update dependency nodemailer to v7 [security] #4187

Are you sure you want to change the base?

fix(deps): update dependency nodemailer to v7 [security] #4187

Conversation

renovate-bot commented Oct 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact:

Recommendations

Release Notes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

Bug Fixes

⚠ BREAKING CHANGES

Features

Configuration

Uh oh!

dpebot commented Oct 7, 2025

Uh oh!

gemini-code-assist bot commented Oct 7, 2025

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist bot Oct 7, 2025

Choose a reason for hiding this comment

Uh oh!

dpebot commented Oct 9, 2025

Uh oh!

dpebot commented Oct 9, 2025

Uh oh!

dpebot commented Oct 21, 2025

Uh oh!

dpebot commented Oct 22, 2025

Uh oh!

dpebot commented Oct 22, 2025

Uh oh!

dpebot commented Oct 22, 2025

Uh oh!

dpebot commented Oct 23, 2025

Uh oh!

dpebot commented Oct 27, 2025

Uh oh!

dpebot commented Oct 27, 2025

Uh oh!

dpebot commented Oct 28, 2025

Uh oh!

dpebot commented Oct 28, 2025

Uh oh!

dpebot commented Nov 3, 2025

Uh oh!

dpebot commented Nov 3, 2025

Uh oh!

dpebot commented Nov 4, 2025

Uh oh!

dpebot commented Nov 4, 2025

Uh oh!

dpebot commented Nov 10, 2025

Uh oh!

dpebot commented Nov 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

renovate-bot commented Oct 7, 2025 •

edited

Loading