[Snyk] Upgrade nodemailer from 2.7.2 to 7.0.5

[SherfeyInv]

Snyk has created this PR to upgrade nodemailer from 2.7.2 to 7.0.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 105 versions ahead of your current version.

• The recommended version was released 2 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	655	Proof of Concept
	Command Injection SNYK-JS-NODEMAILER-1038834	655	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JS-IP-7148531	655	Proof of Concept
	HTTP Header Injection SNYK-JS-NODEMAILER-1296415	655	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NODEMAILER-6219989	655	Proof of Concept

Release notes

Package name: nodemailer

• 7.0.5 - 2025-07-07
  

  7.0.5 (2025-07-07)

  Bug Fixes

  • updated well known delivery service list (fa2724b)
• 7.0.4 - 2025-06-29
  

  7.0.4 (2025-06-29)

  Bug Fixes

  • pools: Emit 'clear' once transporter is idle and all connections are closed (839e286)
  • smtp-connection: jsdoc public annotation for socket (#1741) (c45c84f)
  • well-known-services: Added AliyunQiye (bb9e6da)
• 7.0.3 - 2025-05-08
  

  7.0.3 (2025-05-08)

  Bug Fixes

  • attachments: Set the default transfer encoding for message/rfc822 attachments as '7bit' (007d5f3)
• 7.0.2 - 2025-05-04
  

  7.0.2 (2025-05-04)

  Bug Fixes

  • ses: Fixed structured from header (faa9a5e)
• 7.0.1 - 2025-05-04
  

  7.0.1 (2025-05-04)

  Bug Fixes

  • ses: Use formatted FromEmailAddress for SES emails (821cd09)
• 7.0.0 - 2025-05-03
  

  7.0.0 (2025-05-03)

  ⚠ BREAKING CHANGES

  • SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features

  See SES Transport Docs for updated usage details

  Features

  • SESv2 SDK support, removed older SES SDK v2 and v3 , removed SES rate limiting and idling features (15db667)
• 6.10.1 - 2025-04-13
  

  6.10.1 (2025-02-06)

  Bug Fixes

  • close correct socket (a18062c)
• 6.10.0 - 2025-01-23
  

  6.10.0 (2025-01-23)

  Features

  • services: add Seznam email service configuration (#1695) (d1ae0a8)

  Bug Fixes

  • proxy: Set error and timeout errors for proxied sockets (aa0c99c)
• 6.9.16 - 2024-10-28
  

  6.9.16 (2024-10-28)

  Bug Fixes

  • addressparser: Correctly detect if user local part is attached to domain part (f2096c5)
• 6.9.15 - 2024-09-03
  

  6.9.15 (2024-08-08)

  Bug Fixes

  • Fix memory leak (#1667) (baa28f6)
  • mime: Added GeoJSON closes #1637 (#1665) (79b8293)
• 6.9.14 - 2024-06-19
• 6.9.13 - 2024-03-20
• 6.9.12 - 2024-03-08
• 6.9.11 - 2024-02-29
• 6.9.10 - 2024-02-22
• 6.9.9 - 2024-02-01
• 6.9.8 - 2023-12-30
• 6.9.7 - 2023-10-22
• 6.9.6 - 2023-10-09
• 6.9.5 - 2023-09-06
• 6.9.4 - 2023-07-19
• 6.9.3 - 2023-05-29
• 6.9.2 - 2023-05-11
• 6.9.1 - 2023-01-27
• 6.9.0 - 2023-01-12
• 6.8.0 - 2022-09-28
• 6.7.8 - 2022-08-11
• 6.7.7 - 2022-07-06
• 6.7.6 - 2022-06-30
• 6.7.5 - 2022-05-04
• 6.7.4 - 2022-04-28
• 6.7.3 - 2022-03-21
• 6.7.2 - 2021-11-26
• 6.7.1 - 2021-11-15
• 6.7.0 - 2021-10-11
• 6.6.5 - 2021-09-23
• 6.6.4 - 2021-09-23
• 6.6.3 - 2021-07-14
• 6.6.2 - 2021-06-18
• 6.6.1 - 2021-05-23
• 6.6.0 - 2021-04-28
• 6.5.0 - 2021-02-26
• 6.4.18 - 2021-02-11
• 6.4.17 - 2020-12-11
• 6.4.16 - 2020-11-12
• 6.4.15 - 2020-11-06
• 6.4.14 - 2020-10-14
• 6.4.13 - 2020-10-02
• 6.4.12 - 2020-09-30
• 6.4.11 - 2020-07-29
• 6.4.10 - 2020-06-17
• 6.4.8 - 2020-05-28
• 6.4.7 - 2020-05-28
• 6.4.6 - 2020-03-20
• 6.4.5 - 2020-03-10
• 6.4.4 - 2020-03-01
• 6.4.3 - 2020-02-22
• 6.4.2 - 2019-12-11
• 6.4.1 - 2019-12-07
• 6.4.0 - 2019-12-04
• 6.3.1 - 2019-10-09
• 6.3.0 - 2019-07-14
• 6.2.1 - 2019-05-24
• 6.1.1 - 2019-04-20
• 6.1.0 - 2019-04-06
• 6.0.0 - 2019-03-25
• 5.1.1 - 2019-01-09
• 5.1.0 - 2019-01-09
• 5.0.1 - 2019-01-08
• 5.0.0 - 2018-12-28
• 4.7.0 - 2018-11-19
• 4.6.8 - 2018-08-15
• 4.6.7 - 2018-06-15
• 4.6.6 - 2018-06-10
• 4.6.5 - 2018-05-23
• 4.6.4 - 2018-03-31
• 4.6.3 - 2018-03-14
• 4.6.2 - 2018-03-06
• 4.6.1 - 2018-03-06
• 4.6.0 - 2018-02-22
• 4.5.0 - 2018-02-21
• 4.4.2 - 2018-01-20
• 4.4.1 - 2017-12-08
• 4.4.0 - 2017-11-10
• 4.3.1 - 2017-10-25
• 4.3.0 - 2017-10-23
• 4.2.0 - 2017-10-13
• 4.1.3 - 2017-10-06
• 4.1.2 - 2017-10-03
• 4.1.1 - 2017-09-25
• 4.1.0 - 2017-08-28
• 4.0.1 - 2017-04-13
• 4.0.0 - 2017-04-06
• 3.1.8 - 2017-03-21
• 3.1.7 - 2017-03-14
• 3.1.6 - 2017-03-14
• 3.1.5 - 2017-03-08
• 3.1.4 - 2017-02-26
• 3.1.3 - 2017-02-17
• 3.1.2 - 2017-02-17
• 3.1.1 - 2017-02-15
• 3.1.0 - 2017-02-13
• 3.0.2 - 2017-02-04
• 3.0.1 - 2017-02-03
• 3.0.0 - 2017-01-31
• 2.7.2 - 2017-01-22

from nodemailer GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	uid2@​0.0.4
	passport-strategy@​1.0.0
	passport-github@​0.1.5 ⏵ 1.1.0	+1		+10
	passport-oauth2@​1.8.0
	base64url@​3.0.1
	nodemailer@​2.7.2 ⏵ 7.0.5		+75	+25	+1

View full report