build(deps): bump nodemailer from 6.9.14 to 7.0.7 #497
Conversation
Bumps [nodemailer](https://github.com/nodemailer/nodemailer) from 6.9.14 to 7.0.7. - [Release notes](https://github.com/nodemailer/nodemailer/releases) - [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md) - [Commits](nodemailer/nodemailer@v6.9.14...v7.0.7) --- updated-dependencies: - dependency-name: nodemailer dependency-version: 7.0.7 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Summary
This PR upgrades the `nodemailer` package from version 6.9.14 to 7.0.7, representing a major version bump that brings critical security fixes and bug improvements. The update addresses several important issues including DNS cache memory leaks, ReDoS (Regular expression Denial of Service) vulnerabilities in URI parsing functions, and improvements to email address parsing for quoted nested addresses.Nodemailer is a core dependency in Ever Traduora's mail service (api/src/services/mail.service.ts), which handles critical email functionality including password reset tokens, welcome emails, project invitations, and platform notifications. The upgrade also includes fixes for XOAUTH2 token handling, base64 encoding data loss prevention, and improvements to SMTP connection pooling.
The TypeScript definitions remain at version 6.4.15 (@types/nodemailer), which may need attention as they might not include type definitions for new v7 features. However, this is common during major version transitions and typically doesn't cause runtime issues.
Important Files Changed
Changed Files
| Filename | Score | Overview |
|---|---|---|
| api/package.json | 3/5 | Updates nodemailer from 6.9.14 to 7.0.7 (major version upgrade with security fixes) |
Confidence score: 3/5
- This PR requires careful review due to the major version upgrade of a critical email service dependency
- Score reflects the importance of email functionality and potential breaking changes in major version upgrades
- Pay close attention to the mail service functionality and test email features thoroughly before merging
Additional Comments (1)
-
api/package.json, line 96 (link)logic: The
@types/nodemailerpackage is still at version 6.4.15 while nodemailer was upgraded to 7.0.7. This version mismatch may cause TypeScript compilation issues.Context Used: Rule from
dashboard- When updating dependencies via automated PRs (like Dependabot), ensure the package.json file is expl... (source)
1 file reviewed, 1 comment
|
@samuelmbabhazi can you check if this package can be safely updated? I think it requires some changes as we did recently same for Ever Gauzy? |
|
|
This PR is safe to be merged, I tested that nothing was broken, @evereq |
Bumps nodemailer from 6.9.14 to 7.0.7.
Release notes
Sourced from nodemailer's releases.
... (truncated)
Changelog
Sourced from nodemailer's changelog.
... (truncated)
Commits
9357a71chore(master): release 7.0.7 [skip-ci] (#1761)df13b74fix(linter): Updated eslint and created prettier formatting task62629a0Updated tests for addressparser1150d99fix(addressparser): Fixed addressparser handling of quoted nested email addre...3b8982cfix: resolve linter errors in DNS cache tests0240d67fix(dns): add memory leak prevention for DNS cacheea0fc5afix: refresh expired DNS cache on error (#1759)430ca75chore(master): release 7.0.6 [skip-ci] (#1753)e3e700cBumped depsf322c38replaced escaped single quotes with unescaped onesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.