mailauth 4.8.1 → 4.8.3

package/.ncurc.js

@@ -5,11 +5,10 @@ module.exports = {
         'marked-man',
         // only works as ESM
         'chai',
-
-        // Fails in Node 16
-        'undici',
+        'fast-xml-parser',
 
         // fix later
-        'eslint'
+        'eslint',
+        'eslint-config-prettier'
     ]
 };

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [4.8.3](https://github.com/postalsys/mailauth/compare/v4.8.2...v4.8.3) (2025-04-20)
+
+
+### Bug Fixes
+
+* protect against prototype pollution ([3b7515d](https://github.com/postalsys/mailauth/commit/3b7515df768ce1d2e4e02858fdfca8efca6243fb))
+
+## [4.8.2](https://github.com/postalsys/mailauth/compare/v4.8.1...v4.8.2) (2024-12-19)
+
+
+### Bug Fixes
+
+* **ARC:** ensure that instance value is 1 if ARC chain does not exist yet ([ab4c5e9](https://github.com/postalsys/mailauth/commit/ab4c5e9ae0158e196b10f346321ca55b8f06c679))
+
 ## [4.8.1](https://github.com/postalsys/mailauth/compare/v4.8.0...v4.8.1) (2024-11-05)
 
 

package/lib/arc/index.js

@@ -78,6 +78,8 @@ const verifyAS = async (chain, opts) => {
 const signAS = async (chain, entry, signatureData) => {
     let { instance, algorithm, selector, signingDomain, bodyHash, cv, signTime, privateKey } = signatureData;
 
+    instance = instance || 1;
+
     const signAlgo = algorithm?.split('-').shift();
 
     signTime = signTime || new Date();
@@ -497,6 +499,8 @@ const createSeal = async (input, data) => {
         await dkimSigner.finalize();
     }
 
+    seal.i = seal.i || 1;
+
     const authResults = `ARC-Authentication-Results: i=${seal.i}; ${seal.authResults}`;
 
     // Step 2. Calculate ARC-Seal

package/lib/bimi/index.js

@@ -13,7 +13,9 @@ const httpsSchema = Joi.string().uri({
 const FETCH_TIMEOUT = 5 * 1000;
 
 const { fetch: fetchCmd, Agent } = require('undici');
-const fetchAgent = new Agent({ connect: { timeout: FETCH_TIMEOUT } });
+const fetchAgent = new Agent({
+    connect: { timeout: FETCH_TIMEOUT }
+});
 
 const { vmc } = require('@postalsys/vmc');
 const { validateSvg } = require('./validate-svg');

package/lib/dkim/dkim-signer.js

@@ -266,7 +266,7 @@ class DkimSigner extends MessageParser {
                     {},
                     signatureData,
                     {
-                        instance: this.arc?.instance, // ARC only
+                        instance: 'instance' in this.arc && (this.arc.instance || 1), // ARC only
                         algorithm,
                         canonicalization: this.getCanonicalization(signatureData).canonicalization,
 

package/lib/parse-dkim-headers.js

@@ -279,13 +279,15 @@ const headerParser = buf => {
                 entry.comment = part.comment;
             }
 
-            if (['arc-authentication-results', 'authentication-results'].includes(headerKey) && part.key === 'dkim') {
-                if (!result[part.key]) {
-                    result[part.key] = [];
+            if (part.key && !['__proto__', 'constructor'].includes(part.key)) {
+                if (['arc-authentication-results', 'authentication-results'].includes(headerKey) && part.key === 'dkim') {
+                    if (!result[part.key]) {
+                        result[part.key] = [];
+                    }
+                    result[part.key].push(entry);
+                } else {
+                    result[part.key] = entry;
                 }
-                result[part.key].push(entry);
-            } else {
-                result[part.key] = entry;
             }
         });
 

package/man/mailauth.1

@@ -1,4 +1,4 @@
-.TH "MAILAUTH" "1" "November 2024" "v4.8.1" "Mailauth Help"
+.TH "MAILAUTH" "1" "April 2025" "v4.8.3" "Mailauth Help"
 .SH "NAME"
 \fBmailauth\fR
 .QP

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "mailauth",
-    "version": "4.8.1",
+    "version": "4.8.3",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {
@@ -8,7 +8,8 @@
         "prepublish": "npm run man || true",
         "man": "cd man && marked-man --version `node -e \"console.log('v'+require('../package.json').version)\"` --manual 'Mailauth Help' --section 1 man.md > mailauth.1",
         "build-source": "rm -rf node_modules package-lock.json && npm install && npm run man && npm run licenses && rm -rf node_modules package-lock.json && npm install --production && rm -rf package-lock.json",
-        "build-dist": "npx pkg --compress Brotli package.json && rm -rf package-lock.json && npm install",
+        "build-dist": "npx pkg --compress Brotli package.json && rm -rf package-lock.json && npm install && node winconf.js",
+        "build-dist-fast": "pkg --debug package.json && npm install && node winconf.js",
         "licenses": "license-report --only=prod --output=table --config license-report-config.json > licenses.txt",
         "update": "rm -rf node_modules package-lock.json && npx ncu -u && npm install"
     },
@@ -38,26 +39,27 @@
         "eslint-config-nodemailer": "1.2.0",
         "eslint-config-prettier": "9.1.0",
         "js-yaml": "4.1.0",
-        "license-report": "6.7.0",
+        "license-report": "6.7.2",
         "marked": "0.7.0",
         "marked-man": "0.7.0",
         "mbox-reader": "1.2.0",
-        "mocha": "10.8.2"
+        "mocha": "11.1.0",
+        "resedit": "^2.0.3"
     },
     "dependencies": {
         "@postalsys/vmc": "1.1.0",
-        "fast-xml-parser": "4.5.0",
+        "fast-xml-parser": "4.5.2",
         "ipaddr.js": "2.2.0",
         "joi": "17.13.3",
-        "libmime": "5.3.5",
-        "nodemailer": "6.9.16",
+        "libmime": "5.3.6",
+        "nodemailer": "6.10.1",
         "punycode.js": "2.3.1",
-        "tldts": "6.1.58",
-        "undici": "5.28.4",
+        "tldts": "7.0.1",
+        "undici": "7.8.0",
         "yargs": "17.7.2"
     },
     "engines": {
-        "node": ">=16.0.0"
+        "node": ">=18.0.0"
     },
     "bin": {
         "mailauth": "bin/mailauth.js"

package/winconf.js

@@ -0,0 +1,70 @@
+'use strict';
+
+const { load } = require('resedit/cjs');
+const PackageData = require('./package.json');
+
+const { readFileSync, writeFileSync } = require('fs');
+
+const options = {
+    in: './ee-dist/mailauth-win-x64.exe',
+    out: './ee-dist/mailauth-win-x64.exe',
+    version: PackageData.version,
+    properties: {
+        LegalCopyright: 'Postal Systems OÜ',
+        FileDescription: 'mailauth provides a command-line utility for email authentication',
+        ProductName: 'mailauth'
+    },
+    icon: 'assets/mailauth.ico'
+};
+
+const language = {
+    lang: 1033,
+    codepage: 1200
+};
+
+load().then(ResEdit => {
+    // Modify .exe w/ ResEdit
+    const data = readFileSync(options.in);
+    const executable = ResEdit.NtExecutable.from(data);
+    const res = ResEdit.NtExecutableResource.from(executable);
+    const vi = ResEdit.Resource.VersionInfo.fromEntries(res.entries)[0];
+
+    // Remove original filename
+    vi.removeStringValue(language, 'OriginalFilename');
+    vi.removeStringValue(language, 'InternalName');
+
+    // Product version
+    if (options.version) {
+        // Convert version to tuple of 3 numbers
+        const version = options.version
+            .split('.')
+            .map(v => Number(v) || 0)
+            .slice(0, 3);
+
+        // Update versions
+        vi.setProductVersion(...version, 0, language.lang);
+        vi.setFileVersion(...version, 0, language.lang);
+    }
+
+    // Add additional user specified properties
+    if (options.properties) {
+        vi.setStringValues(language, options.properties);
+    }
+
+    vi.outputToResourceEntries(res.entries);
+
+    // Add icon
+    if (options.icon) {
+        const iconFile = ResEdit.Data.IconFile.from(readFileSync(options.icon));
+        ResEdit.Resource.IconGroupEntry.replaceIconsForResource(
+            res.entries,
+            1,
+            language.lang,
+            iconFile.icons.map(item => item.data)
+        );
+    }
+
+    // Regenerate and write to .exe
+    res.outputResource(executable);
+    writeFileSync(options.out, Buffer.from(executable.generate()));
+});