[Snyk] Security upgrade nodemailer from 6.10.0 to 7.0.11#18
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NODEMAILER-14157156
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
✅ Deploy Preview for comfy-crostata-209e70 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR upgrades nodemailer from version 6.10.0 to 7.0.11 to address a high severity security vulnerability (Uncontrolled Recursion - SNYK-JS-NODEMAILER-14157156). This is a major version upgrade that includes breaking changes affecting the project's email functionality.
Key changes:
- Updates nodemailer dependency from ^6.9.15 to ^7.0.11 in package.json
- Updates resolved version and integrity hash in package-lock.json
Critical Issue Identified: The upgrade introduces a breaking change with the existing nodemailer-ses-transport dependency (v1.5.1), which is incompatible with nodemailer 7.x. This will cause the email sending functionality in utils/email/emailSender.js to fail at runtime. The code must be migrated to use nodemailer's built-in SES transport instead.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates nodemailer dependency version from ^6.9.15 to ^7.0.11 |
| package-lock.json | Updates nodemailer resolved version from 6.10.0 to 7.0.11 with corresponding integrity hash |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "next": "14.2.8", | ||
| "nodemailer": "^6.9.15", | ||
| "nodemailer": "^7.0.11", | ||
| "nodemailer-ses-transport": "^1.5.1", |
There was a problem hiding this comment.
The upgrade to nodemailer 7.x introduces a breaking change with nodemailer-ses-transport. The nodemailer-ses-transport package (v1.5.1, last updated in 2017) is incompatible with nodemailer 7.x and will cause runtime errors.
Nodemailer 7.x has built-in AWS SES support. You should:
- Remove the
nodemailer-ses-transportdependency from package.json - Update
utils/email/emailSender.jsto use nodemailer's built-in SES transport instead
Example migration:
import { createTransport } from "nodemailer";
import aws from "@aws-sdk/client-ses";
const ses = new aws.SES({
region: process.env.REGION,
credentials: {
accessKeyId: process.env.ACCESS_KEY_ID,
secretAccessKey: process.env.SECRET_ACCESS_KEY,
}
});
const sesTransport = createTransport({
SES: { ses, aws }
});| "nodemailer-ses-transport": "^1.5.1", |
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-NODEMAILER-14157156
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.