Skip to content

Bump nodemailer, mailparser and smtp-server#489

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-efe80b83e6
Closed

Bump nodemailer, mailparser and smtp-server#489
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-efe80b83e6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bumps nodemailer to 9.0.1 and updates ancestor dependencies nodemailer, mailparser and smtp-server. These dependencies need to be updated together.

Updates nodemailer from 6.7.0 to 9.0.1

Release notes

Sourced from nodemailer's releases.

v9.0.1

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

v9.0.0

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

v8.0.11

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)

v8.0.10

8.0.10 (2026-05-29)

Bug Fixes

  • fall back to lower-severity handler when custom logger lacks a level method (6d849df)

v8.0.9

8.0.9 (2026-05-26)

Bug Fixes

  • two pending security advisories (jsonTransport access bypass, List-* CRLF injection) (#1820) (5f69497)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)

8.0.10 (2026-05-29)

Bug Fixes

  • fall back to lower-severity handler when custom logger lacks a level method (6d849df)

8.0.9 (2026-05-26)

Bug Fixes

  • two pending security advisories (jsonTransport access bypass, List-* CRLF injection) (#1820) (5f69497)

8.0.8 (2026-05-23)

Bug Fixes

... (truncated)

Commits
  • 69cf625 chore(master): release 9.0.1 (#1828)
  • a82e060 fix: enforce disableFileAccess/disableUrlAccess for raw message option
  • 4e58450 chore: update dev dependencies
  • 541f5fd chore(master): release 9.0.0 (#1827)
  • 0c080fb fix: replace deprecated url.parse with a WHATWG URL wrapper
  • 6a947ac fix!: validate TLS certificates by default when fetching remote content
  • e3b1bda chore(master): release 8.0.11 (#1826)
  • 4358caf refactor: remove dead checks flagged by Code Quality analysis
  • cf5195c chore: harden workflow token permissions and update GitHub Actions
  • 067aebe fix: parse Ethereal response props without polynomial regex backtracking
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for nodemailer since your current version.


Updates mailparser from 3.4.0 to 3.9.11

Release notes

Sourced from mailparser's releases.

mailparser: v3.8.1

3.8.1 (2025-11-05)

Bug Fixes

mailparser: v3.8.0

3.8.0 (2025-11-04)

Bug Fixes

  • deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)
Changelog

Sourced from mailparser's changelog.

3.9.11 (2026-06-19)

Bug Fixes

  • bump nodemailer to 9.0.1 (020f140)

3.9.10 (2026-06-15)

Bug Fixes

  • bump dependencies (nodemailer 9, eslint 10.5, prettier 3.8.4) (262ecff)

3.9.9 (2026-05-29)

Bug Fixes

3.9.8 (2026-04-08)

Bug Fixes

3.9.7 (2026-04-08)

Bug Fixes

3.9.6 (2026-03-25)

Bug Fixes

  • bump nodemailer to 8.0.4 (b2d7f77)

3.9.5 (2026-03-23)

Bug Fixes

3.9.4 (2026-03-09)

... (truncated)

Commits
  • 04116f0 chore(master): release 3.9.11 [skip-ci] (#425)
  • 020f140 fix: bump nodemailer to 9.0.1
  • b890336 docs: add PGP-signed SECURITY.txt (RFC 9116) [skip ci]
  • 705c237 chore(master): release 3.9.10 [skip-ci] (#424)
  • 588e483 chore: add CLAUDE.md, security policy and CodeQL workflow, modernize CI
  • 262ecff fix: bump dependencies (nodemailer 9, eslint 10.5, prettier 3.8.4)
  • 25a0e6d chore(master): release 3.9.9 [skip-ci] (#422)
  • 7a83b91 fix: bumped deps
  • c80f391 chore(master): release 3.9.8 [skip-ci] (#420)
  • ea415b2 fix: Bumped deps
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mailparser since your current version.


Updates smtp-server from 3.10.0 to 3.19.1

Release notes

Sourced from smtp-server's releases.

smtp-server: v3.16.1

3.16.1 (2025-11-05)

Bug Fixes

  • relax email validation to accept Gmail forwarding addresses (b5ea6d9)

smtp-server: v3.16.0

3.16.0 (2025-10-29)

Features

  • add ability to customize auth required error message (e0f3e64)
  • add configurable heloResponse option for HELO/EHLO greeting (7c8279f)
  • added DSN capability to feature list (disabled by default) (#230) (bb17377)
  • added support for ENHANCEDSTATUSCODES and DSN (closes #224) (#225) (ad545ef)
  • added support for REQUIRETLS and other body params (71ce3aa)

Bug Fixes

  • 193 (657ac6e)
  • added resolver option, if server closing do not permit commands (fixes #177, fixes #181) (#222) (e79cac9)
  • bug with proxy (#218) (9515e38)
  • bumped deps (c499a3c)
  • Bumped deps (ce34da4)
  • deploy: added autorelease (0dbc8e1)
  • deps: Bumped deps (e096b12)
  • deps: Bumped deps (0a2d601)
  • deps: use punycode module (438c617)
  • release: fixed Git URL on package.json (5876626)
  • Replaced punycode with punycode.js (4ccbcf2)
  • strengthen email validation in _parseAddressCommand (9aced8d)
  • unref timers to allow graceful process exit (e2542d2)
  • XFORWARD: Fixed client hostname processing. Fixes #147 (d518417)
Changelog

Sourced from smtp-server's changelog.

3.19.1 (2026-06-19)

Bug Fixes

  • bump nodemailer to 9.0.1 (e3e6a6b)

3.19.0 (2026-06-15)

Features

  • add lenientAddressParsing option to relax strict address validation (2237bb4), closes #259
  • update stream.sizeExceeded and byteLength in real time (9051734)

Bug Fixes

  • cap PROXY header length to prevent unbounded buffering (38a3190)
  • expose SASL PLAIN authzid and reject control characters in usernames (4107568), closes #261
  • handle half-open socket close while reading PROXY header (cdaefd8)
  • prevent uncaughtException when client disconnects before PROXY header (e240a50)
  • reject STARTTLS parameters and control characters in envelope input (db1f3d4), closes #260
  • use crypto.randomBytes for CRAM-MD5 challenge (4dbc916)

3.18.5 (2026-05-29)

Bug Fixes

3.18.4 (2026-04-08)

Bug Fixes

3.18.3 (2026-03-25)

Bug Fixes

  • limit command line length to prevent memory exhaustion (592c566)

3.18.2 (2026-03-23)

Bug Fixes

... (truncated)

Commits
  • 58af498 chore(master): release 3.19.1 (#263)
  • e3e6a6b fix: bump nodemailer to 9.0.1
  • 9b4e561 Merge pull request #258 from nodemailer/release-please--branches--master--com...
  • bc5e49f docs: expand SECURITY.txt with RFC 9116 fields [skip ci]
  • 351d471 chore(master): release 3.19.0
  • f5e86cf ci: modernize workflows and add CodeQL code scanning
  • 65da712 chore: update dependencies
  • e453d46 chore: update dependencies
  • 4c0a408 docs: add security policy
  • 9051734 feat: update stream.sizeExceeded and byteLength in real time
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for smtp-server since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [nodemailer](https://github.com/nodemailer/nodemailer) to 9.0.1 and updates ancestor dependencies [nodemailer](https://github.com/nodemailer/nodemailer), [mailparser](https://github.com/nodemailer/mailparser) and [smtp-server](https://github.com/nodemailer/smtp-server). These dependencies need to be updated together.


Updates `nodemailer` from 6.7.0 to 9.0.1
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v6.7.0...v9.0.1)

Updates `mailparser` from 3.4.0 to 3.9.11
- [Release notes](https://github.com/nodemailer/mailparser/releases)
- [Changelog](https://github.com/nodemailer/mailparser/blob/master/CHANGELOG.md)
- [Commits](nodemailer/mailparser@v3.4.0...v3.9.11)

Updates `smtp-server` from 3.10.0 to 3.19.1
- [Release notes](https://github.com/nodemailer/smtp-server/releases)
- [Changelog](https://github.com/nodemailer/smtp-server/blob/master/CHANGELOG.md)
- [Commits](nodemailer/smtp-server@v3.10.0...v3.19.1)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 9.0.1
  dependency-type: indirect
- dependency-name: mailparser
  dependency-version: 3.9.11
  dependency-type: direct:production
- dependency-name: smtp-server
  dependency-version: 3.19.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 20, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are no longer a dependency, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 6, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-efe80b83e6 branch July 6, 2026 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants