Skip to content

chore(deps): bump nodemailer from 8.0.11 to 9.0.3#206

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/nodemailer-9.0.3
Open

chore(deps): bump nodemailer from 8.0.11 to 9.0.3#206
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/nodemailer-9.0.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps nodemailer from 8.0.11 to 9.0.3.

Release notes

Sourced from nodemailer's releases.

v9.0.3

9.0.3 (2026-06-30)

Bug Fixes

  • smtp-connection: harden STARTTLS upgrade and secure socket handling (#1835) (07d8253)

v9.0.2

9.0.2 (2026-06-29)

Bug Fixes

  • addressparser: keep operator chars inside an address-literal as text (#1829) (9ba1064)
  • harden smtp-connection low-severity issues (22ddcea)
  • harden smtp-connection response parsing and socket lifecycle (68860b9)
  • prevent SES transport callback double-invocation and hang on sync errors (#1831) (9517bc5)
  • reject CRLF in HTTP proxy CONNECT destination to prevent request injection (6347b47)

v9.0.1

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

v9.0.0

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)
Changelog

Sourced from nodemailer's changelog.

9.0.3 (2026-06-30)

Bug Fixes

  • smtp-connection: harden STARTTLS upgrade and secure socket handling (#1835) (07d8253)

9.0.2 (2026-06-29)

Bug Fixes

  • addressparser: keep operator chars inside an address-literal as text (#1829) (9ba1064)
  • harden smtp-connection low-severity issues (22ddcea)
  • harden smtp-connection response parsing and socket lifecycle (68860b9)
  • prevent SES transport callback double-invocation and hang on sync errors (#1831) (9517bc5)
  • reject CRLF in HTTP proxy CONNECT destination to prevent request injection (6347b47)

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)
Commits
  • 1f61eb4 chore(master): release 9.0.3 (#1836)
  • 07d8253 fix(smtp-connection): harden STARTTLS upgrade and secure socket handling (#1835)
  • 4801f3a chore(master): release 9.0.2 (#1832)
  • 9ba1064 fix(addressparser): keep operator chars inside an address-literal as text (#1...
  • 22ddcea fix: harden smtp-connection low-severity issues
  • af002eb chore: add Node.js 26 to the CI test matrix
  • 6347b47 fix: reject CRLF in HTTP proxy CONNECT destination to prevent request injection
  • 68860b9 fix: harden smtp-connection response parsing and socket lifecycle
  • 9517bc5 fix: prevent SES transport callback double-invocation and hang on sync errors...
  • 69cf625 chore(master): release 9.0.1 (#1828)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [nodemailer](https://github.com/nodemailer/nodemailer) from 8.0.11 to 9.0.3.
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v8.0.11...v9.0.3)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 9.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants