Skip to content

chore(deps): bump nodemailer from 8.0.4 to 8.0.5 in the npm_and_yarn group across 1 directory#1164

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-2867179b1e
Closed

chore(deps): bump nodemailer from 8.0.4 to 8.0.5 in the npm_and_yarn group across 1 directory#1164
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-2867179b1e

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 8, 2026
edited
Loading

Bumps the npm_and_yarn group with 1 update in the / directory: nodemailer.

Updates nodemailer from 8.0.4 to 8.0.5

Release notes

Sourced from nodemailer's releases.

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

  • decode SMTP server responses as UTF-8 at line boundary (95876b1)
  • sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)
Changelog

Sourced from nodemailer's changelog.

8.0.5 (2026-04-07)

Bug Fixes

  • decode SMTP server responses as UTF-8 at line boundary (95876b1)
  • sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)
Commits
  • 202cfb3 chore(master): release 8.0.5 (#1809)
  • b634abf docs: add CLAUDE.md with project conventions and release process
  • 95876b1 fix: decode SMTP server responses as UTF-8 at line boundary
  • 0a43876 fix: sanitize CRLF in transport name option to prevent SMTP command injection...
  • 08e59e6 chore: update dev dependencies
  • See full diff in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 8, 2026
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
pin-point Ready Ready Preview, Comment Apr 12, 2026 0:41am

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 8, 2026
@timothyfroehlich timothyfroehlich enabled auto-merge (squash) April 12, 2026 00:38
@dependabot
chore(deps): bump nodemailer
f06e0e5 
Bumps the npm_and_yarn group with 1 update in the / directory: [nodemailer](https://github.com/nodemailer/nodemailer).


Updates `nodemailer` from 8.0.4 to 8.0.5
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v8.0.4...v8.0.5)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 8.0.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-2867179b1e branch from 3b9e706 to f06e0e5 Compare April 12, 2026 00:40
timothyfroehlich added a commit that referenced this pull request Apr 12, 2026
@timothyfroehlich @claude
fix(deps): bump next 16.2.1→16.2.3 and nodemailer 8.0.4→8.0.5 to fix …
739554a 
…CI audit

next@16.2.3 fixes HIGH severity DoS via Server Components (GHSA-q4gf-8mx6-v5v3).
nodemailer@8.0.5 fixes MODERATE SMTP injection via CRLF (GHSA-vvjj-xcjg-gr5g).

Both vulnerabilities caused `pnpm audit` to fail on main, blocking CI Gate
for all PRs. Also bumps @next/env, @next/mdx, eslint-config-next in lockstep.

Closes #1164

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@timothyfroehlich timothyfroehlich mentioned this pull request Apr 12, 2026
Merged
3 tasks
@timothyfroehlich
Copy link
Copy Markdown
Owner

timothyfroehlich commented Apr 12, 2026

Superseded by #1168 which bumps both nodemailer and next (the next.js HIGH vuln was blocking this PR's CI too).

auto-merge was automatically disabled April 12, 2026 01:03

Pull request was closed

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 12, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-2867179b1e branch April 12, 2026 01:03
timothyfroehlich added a commit that referenced this pull request Apr 12, 2026
@timothyfroehlich @claude
fix(deps): bump next 16.2.1→16.2.3 and nodemailer 8.0.4→8.0.5 to fix …
eb41ca2 
…CI audit (#1168)

next@16.2.3 fixes HIGH severity DoS via Server Components (GHSA-q4gf-8mx6-v5v3).
nodemailer@8.0.5 fixes MODERATE SMTP injection via CRLF (GHSA-vvjj-xcjg-gr5g).

Both vulnerabilities caused `pnpm audit` to fail on main, blocking CI Gate
for all PRs. Also bumps @next/env, @next/mdx, eslint-config-next in lockstep.

Closes #1164

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timothyfroehlich