-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency nodemailer to v6.9.9 [security] #6620
Conversation
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Your PR title is: Details: Unknown scope "deps" found in pull request title "fix(deps): update dependency nodemailer to v6.9.9 [security]". Scope must match one of: root, api, dashboard, inbound-mail, web, webhook, widget, worker, ws, ee-auth, ee-billing, ee-dal, ee-shared-services, ee-translation, application-generic, automation, dal, design-system, embed, notifications, novui, testing, client, framework, headless, js, nest, nextjs, node, notification-center, novu, providers, react, react-native, shared, stateless, nestjs, nextjs. |
✅ Deploy Preview for novu-stg-vite-dashboard-poc ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
44faabe
to
49f30ba
Compare
49f30ba
to
90c6f77
Compare
90c6f77
to
17b88a1
Compare
17b88a1
to
d40a6d8
Compare
d40a6d8
to
5940369
Compare
5940369
to
758b3eb
Compare
758b3eb
to
04afb20
Compare
92d12b9
to
3b1926e
Compare
3b1926e
to
3f294e5
Compare
3f294e5
to
0479445
Compare
0479445
to
398a54f
Compare
398a54f
to
91abfdb
Compare
91abfdb
to
0daf6cc
Compare
0daf6cc
to
5e672d2
Compare
This PR contains the following updates:
6.9.1
->6.9.9
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
GHSA-9h6g-pr28-7cqp
Summary
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter
attachDataUrls
set, causing the stuck of event loop.Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
Details
Regex: /^data:((?:[^;];)(?:[^,])),(.)$/
Path: compile -> getAttachments -> _processDataUrl
Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/
Path: _convertDataImages
PoC
https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698
Impact
ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.
Release Notes
nodemailer/nodemailer (nodemailer)
v6.9.9
Compare Source
Bug Fixes
v6.9.8
Compare Source
Bug Fixes
v6.9.7
Compare Source
Bug Fixes
v6.9.6
Compare Source
Bug Fixes
v6.9.5
Compare Source
Bug Fixes
v6.9.4
Compare Source
v6.9.3
Compare Source
v6.9.2
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.