Skip to content

Bump nodemailer, mailparser and smtp-server#484

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-f4950d24a5
Closed

Bump nodemailer, mailparser and smtp-server#484
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-f4950d24a5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bumps nodemailer to 9.0.0 and updates ancestor dependencies nodemailer, mailparser and smtp-server. These dependencies need to be updated together.

Updates nodemailer from 6.7.0 to 9.0.0

Release notes

Sourced from nodemailer's releases.

v9.0.0

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

v8.0.11

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)

v8.0.10

8.0.10 (2026-05-29)

Bug Fixes

  • fall back to lower-severity handler when custom logger lacks a level method (6d849df)

v8.0.9

8.0.9 (2026-05-26)

Bug Fixes

  • two pending security advisories (jsonTransport access bypass, List-* CRLF injection) (#1820) (5f69497)

v8.0.8

8.0.8 (2026-05-23)

Bug Fixes

  • enforce strict TLS for OAuth2 and Ethereal credential requests (#1818) (833d6e5)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)

8.0.10 (2026-05-29)

Bug Fixes

  • fall back to lower-severity handler when custom logger lacks a level method (6d849df)

8.0.9 (2026-05-26)

Bug Fixes

  • two pending security advisories (jsonTransport access bypass, List-* CRLF injection) (#1820) (5f69497)

8.0.8 (2026-05-23)

Bug Fixes

  • enforce strict TLS for OAuth2 and Ethereal credential requests (#1818) (833d6e5)
  • four listener/stream leaks in SMTP transport, connection, pool (#1817) (850bb91)

8.0.7 (2026-04-27)

... (truncated)

Commits
  • 541f5fd chore(master): release 9.0.0 (#1827)
  • 0c080fb fix: replace deprecated url.parse with a WHATWG URL wrapper
  • 6a947ac fix!: validate TLS certificates by default when fetching remote content
  • e3b1bda chore(master): release 8.0.11 (#1826)
  • 4358caf refactor: remove dead checks flagged by Code Quality analysis
  • cf5195c chore: harden workflow token permissions and update GitHub Actions
  • 067aebe fix: parse Ethereal response props without polynomial regex backtracking
  • 0cee4fe chore: add CodeQL code scanning workflow
  • cb9da47 chore: update dev dependencies
  • e0a4928 chore: format CLAUDE.md with prettier
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for nodemailer since your current version.


Updates mailparser from 3.4.0 to 3.9.10

Release notes

Sourced from mailparser's releases.

mailparser: v3.8.1

3.8.1 (2025-11-05)

Bug Fixes

mailparser: v3.8.0

3.8.0 (2025-11-04)

Bug Fixes

  • deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)
Changelog

Sourced from mailparser's changelog.

3.9.10 (2026-06-15)

Bug Fixes

  • bump dependencies (nodemailer 9, eslint 10.5, prettier 3.8.4) (262ecff)

3.9.9 (2026-05-29)

Bug Fixes

3.9.8 (2026-04-08)

Bug Fixes

3.9.7 (2026-04-08)

Bug Fixes

3.9.6 (2026-03-25)

Bug Fixes

  • bump nodemailer to 8.0.4 (b2d7f77)

3.9.5 (2026-03-23)

Bug Fixes

3.9.4 (2026-03-09)

Bug Fixes

  • bump nodemailer to 8.0.2 for unquoted comma-in-display-name parsing (dd71f08)
  • filter false values from empty References headers (9884e5d), closes #385
  • prevent RFC 2047 encoded-word address fabrication in decodeAddresses (08b800c)

... (truncated)

Commits
  • 705c237 chore(master): release 3.9.10 [skip-ci] (#424)
  • 588e483 chore: add CLAUDE.md, security policy and CodeQL workflow, modernize CI
  • 262ecff fix: bump dependencies (nodemailer 9, eslint 10.5, prettier 3.8.4)
  • 25a0e6d chore(master): release 3.9.9 [skip-ci] (#422)
  • 7a83b91 fix: bumped deps
  • c80f391 chore(master): release 3.9.8 [skip-ci] (#420)
  • ea415b2 fix: Bumped deps
  • 6785c3c chore(master): release 3.9.7 [skip-ci] (#419)
  • 35cf54f fix: Bumped deps
  • 7f17ae9 chore(master): release 3.9.6 [skip-ci]
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mailparser since your current version.


Updates smtp-server from 3.10.0 to 3.19.0

Release notes

Sourced from smtp-server's releases.

smtp-server: v3.16.1

3.16.1 (2025-11-05)

Bug Fixes

  • relax email validation to accept Gmail forwarding addresses (b5ea6d9)

smtp-server: v3.16.0

3.16.0 (2025-10-29)

Features

  • add ability to customize auth required error message (e0f3e64)
  • add configurable heloResponse option for HELO/EHLO greeting (7c8279f)
  • added DSN capability to feature list (disabled by default) (#230) (bb17377)
  • added support for ENHANCEDSTATUSCODES and DSN (closes #224) (#225) (ad545ef)
  • added support for REQUIRETLS and other body params (71ce3aa)

Bug Fixes

  • 193 (657ac6e)
  • added resolver option, if server closing do not permit commands (fixes #177, fixes #181) (#222) (e79cac9)
  • bug with proxy (#218) (9515e38)
  • bumped deps (c499a3c)
  • Bumped deps (ce34da4)
  • deploy: added autorelease (0dbc8e1)
  • deps: Bumped deps (e096b12)
  • deps: Bumped deps (0a2d601)
  • deps: use punycode module (438c617)
  • release: fixed Git URL on package.json (5876626)
  • Replaced punycode with punycode.js (4ccbcf2)
  • strengthen email validation in _parseAddressCommand (9aced8d)
  • unref timers to allow graceful process exit (e2542d2)
  • XFORWARD: Fixed client hostname processing. Fixes #147 (d518417)
Changelog

Sourced from smtp-server's changelog.

3.19.0 (2026-06-15)

Features

  • add lenientAddressParsing option to relax strict address validation (2237bb4), closes #259
  • update stream.sizeExceeded and byteLength in real time (9051734)

Bug Fixes

  • cap PROXY header length to prevent unbounded buffering (38a3190)
  • expose SASL PLAIN authzid and reject control characters in usernames (4107568), closes #261
  • handle half-open socket close while reading PROXY header (cdaefd8)
  • prevent uncaughtException when client disconnects before PROXY header (e240a50)
  • reject STARTTLS parameters and control characters in envelope input (db1f3d4), closes #260
  • use crypto.randomBytes for CRAM-MD5 challenge (4dbc916)

3.18.5 (2026-05-29)

Bug Fixes

3.18.4 (2026-04-08)

Bug Fixes

3.18.3 (2026-03-25)

Bug Fixes

  • limit command line length to prevent memory exhaustion (592c566)

3.18.2 (2026-03-23)

Bug Fixes

3.18.1 (2026-01-28)

Bug Fixes

... (truncated)

Commits
  • 9b4e561 Merge pull request #258 from nodemailer/release-please--branches--master--com...
  • bc5e49f docs: expand SECURITY.txt with RFC 9116 fields [skip ci]
  • 351d471 chore(master): release 3.19.0
  • f5e86cf ci: modernize workflows and add CodeQL code scanning
  • 65da712 chore: update dependencies
  • e453d46 chore: update dependencies
  • 4c0a408 docs: add security policy
  • 9051734 feat: update stream.sizeExceeded and byteLength in real time
  • 4dbc916 fix: use crypto.randomBytes for CRAM-MD5 challenge
  • 38a3190 fix: cap PROXY header length to prevent unbounded buffering
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for smtp-server since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [nodemailer](https://github.com/nodemailer/nodemailer) to 9.0.0 and updates ancestor dependencies [nodemailer](https://github.com/nodemailer/nodemailer), [mailparser](https://github.com/nodemailer/mailparser) and [smtp-server](https://github.com/nodemailer/smtp-server). These dependencies need to be updated together.


Updates `nodemailer` from 6.7.0 to 9.0.0
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v6.7.0...v9.0.0)

Updates `mailparser` from 3.4.0 to 3.9.10
- [Release notes](https://github.com/nodemailer/mailparser/releases)
- [Changelog](https://github.com/nodemailer/mailparser/blob/master/CHANGELOG.md)
- [Commits](nodemailer/mailparser@v3.4.0...v3.9.10)

Updates `smtp-server` from 3.10.0 to 3.19.0
- [Release notes](https://github.com/nodemailer/smtp-server/releases)
- [Changelog](https://github.com/nodemailer/smtp-server/blob/master/CHANGELOG.md)
- [Commits](nodemailer/smtp-server@v3.10.0...v3.19.0)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 9.0.0
  dependency-type: indirect
- dependency-name: mailparser
  dependency-version: 3.9.10
  dependency-type: direct:production
- dependency-name: smtp-server
  dependency-version: 3.19.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 17, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #489.

@dependabot dependabot Bot closed this Jun 20, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-f4950d24a5 branch June 20, 2026 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants