Skip to content

build(deps): bump nodemailer from 8.0.10 to 9.0.3 in /backend#731

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/backend/nodemailer-9.0.3
Open

build(deps): bump nodemailer from 8.0.10 to 9.0.3 in /backend#731
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/backend/nodemailer-9.0.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bumps nodemailer from 8.0.10 to 9.0.3.

Release notes

Sourced from nodemailer's releases.

v9.0.3

9.0.3 (2026-06-30)

Bug Fixes

  • smtp-connection: harden STARTTLS upgrade and secure socket handling (#1835) (07d8253)

v9.0.2

9.0.2 (2026-06-29)

Bug Fixes

  • addressparser: keep operator chars inside an address-literal as text (#1829) (9ba1064)
  • harden smtp-connection low-severity issues (22ddcea)
  • harden smtp-connection response parsing and socket lifecycle (68860b9)
  • prevent SES transport callback double-invocation and hang on sync errors (#1831) (9517bc5)
  • reject CRLF in HTTP proxy CONNECT destination to prevent request injection (6347b47)

v9.0.1

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

v9.0.0

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

v8.0.11

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

9.0.3 (2026-06-30)

Bug Fixes

  • smtp-connection: harden STARTTLS upgrade and secure socket handling (#1835) (07d8253)

9.0.2 (2026-06-29)

Bug Fixes

  • addressparser: keep operator chars inside an address-literal as text (#1829) (9ba1064)
  • harden smtp-connection low-severity issues (22ddcea)
  • harden smtp-connection response parsing and socket lifecycle (68860b9)
  • prevent SES transport callback double-invocation and hang on sync errors (#1831) (9517bc5)
  • reject CRLF in HTTP proxy CONNECT destination to prevent request injection (6347b47)

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)
Commits
  • 1f61eb4 chore(master): release 9.0.3 (#1836)
  • 07d8253 fix(smtp-connection): harden STARTTLS upgrade and secure socket handling (#1835)
  • 4801f3a chore(master): release 9.0.2 (#1832)
  • 9ba1064 fix(addressparser): keep operator chars inside an address-literal as text (#1...
  • 22ddcea fix: harden smtp-connection low-severity issues
  • af002eb chore: add Node.js 26 to the CI test matrix
  • 6347b47 fix: reject CRLF in HTTP proxy CONNECT destination to prevent request injection
  • 68860b9 fix: harden smtp-connection response parsing and socket lifecycle
  • 9517bc5 fix: prevent SES transport callback double-invocation and hang on sync errors...
  • 69cf625 chore(master): release 9.0.1 (#1828)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [nodemailer](https://github.com/nodemailer/nodemailer) from 8.0.10 to 9.0.3.
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v8.0.10...v9.0.3)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 9.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants