chore(deps): update dependency nodemailer to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nodemailer (source)	^6.10.0 -> ^7.0.0

GitHub Vulnerability Alerts

GHSA-mm7p-fcc7-pg87

The email parsing library incorrectly handles quoted local-parts containing @​. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.

Payload: "[email protected] x"@​internal.domain
Using the following code to send mail

const nodemailer = require("nodemailer");

let transporter = nodemailer.createTransport({
  service: "gmail",
  auth: {
    user: "",
    pass: "",
  },
});

let mailOptions = {
  from: '"Test Sender" <[email protected]>', 
  to: "\"[email protected] x\"@&#8203;internal.domain",
  subject: "Hello from Nodemailer",
  text: "This is a test email sent using Gmail SMTP and Nodemailer!",
};

transporter.sendMail(mailOptions, (error, info) => {
  if (error) {
    return console.log("Error: ", error);
  }
  console.log("Message sent: %s", info.messageId);

});

(async () => {
  const parser = await import("@&#8203;sparser/email-address-parser");
  const { EmailAddress, ParsingOptions } = parser.default;
  const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);

  if (!parsed) {
    console.error("Invalid email address:", mailOptions.to);
    return;
  }

  console.log("Parsed email:", {
    address: `${parsed.localPart}@&#8203;${parsed.domain}`,
    local: parsed.localPart,
    domain: parsed.domain,
  });
})();

Running the script and seeing how this mail is parsed according to RFC

Parsed email: {
  address: '"[email protected] x"@​internal.domain',
  local: '"[email protected] x"',
  domain: 'internal.domain'
}

But the email is sent to [email protected]

Impact:

• Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.

• Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.

• Potential compliance issue: Violates RFC 5321/5322 parsing rules.

• Domain based access control bypass in downstream applications using your library to send mails

Recommendations

• Fix parser to correctly treat quoted local-parts per RFC 5321/5322.

• Add strict validation rejecting local-parts containing embedded @​ unless fully compliant with quoting.

---

Release Notes

nodemailer/nodemailer (nodemailer)

v7.0.7

Compare Source

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#​1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

v7.0.6

Compare Source

Bug Fixes

• encoder: avoid silent data loss by properly flushing trailing base64 (#​1747) (01ae76f)
• handle multiple XOAUTH2 token requests correctly (#​1754) (dbe0028)
• ReDoS vulnerability in parseDataURI and _processDataUrl (#​1755) (90b3e24)

v7.0.5

Compare Source

Bug Fixes

• updated well known delivery service list (fa2724b)

v7.0.4

Compare Source

Bug Fixes

• pools: Emit 'clear' once transporter is idle and all connections are closed (839e286)
• smtp-connection: jsdoc public annotation for socket (#​1741) (c45c84f)
• well-known-services: Added AliyunQiye (bb9e6da)

v7.0.3

Compare Source

Bug Fixes

• attachments: Set the default transfer encoding for message/rfc822 attachments as '7bit' (007d5f3)

v7.0.2

Compare Source

Bug Fixes

• ses: Fixed structured from header (faa9a5e)

v7.0.1

Compare Source

Bug Fixes

• ses: Use formatted FromEmailAddress for SES emails (821cd09)

v7.0.0

Compare Source

⚠ BREAKING CHANGES

• SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features

Features

• SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features (15db667)

v6.10.1

Compare Source

Bug Fixes

• close correct socket (a18062c)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: benches/pnpm-lock.yaml

 ERROR  Failed to switch pnpm to v9.11.0. Looks like pnpm CLI is missing at "/home/ubuntu/.local/share/pnpm/.tools/pnpm/9.11.0/bin" or is incorrect
spawnSync /home/ubuntu/.local/share/pnpm/.tools/pnpm/9.11.0/bin/pnpm ENOENT