nodemailer 8.0.10 → 8.0.11

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # CHANGELOG
 
+## [8.0.11](https://github.com/nodemailer/nodemailer/compare/v8.0.10...v8.0.11) (2026-06-10)
+
+
+### Bug Fixes
+
+* apply the transport-level newline option in stream and sendmail transports ([cb4f904](https://github.com/nodemailer/nodemailer/commit/cb4f904a53d2c2feeaf327203c92378d46304398))
+* include icalEvent path/href content in the application/ics attachment ([b801c48](https://github.com/nodemailer/nodemailer/commit/b801c48fab8e9b71bc7e0ea1fb32ce6b34675b15))
+* parse Ethereal response props without polynomial regex backtracking ([067aebe](https://github.com/nodemailer/nodemailer/commit/067aebec83b8cbe7682905e89b30ab19d260b503))
+* resolve oauth2_provision_cb at send time for non-pooled SMTP transports ([203c8ec](https://github.com/nodemailer/nodemailer/commit/203c8ecf97594ac2e69919b0f3ba966c0f86750e))
+* return the promise from every resolveContent branch ([07ffe8c](https://github.com/nodemailer/nodemailer/commit/07ffe8cfd97f0486b8c7b541f398922ddab47882))
+* strip the url scheme from List-ID header values ([77e5885](https://github.com/nodemailer/nodemailer/commit/77e5885cfa0c6723ea7749c1ee74b1c11aeb78bd))
+* tag AWS SES transport errors with the ESES code ([efa647a](https://github.com/nodemailer/nodemailer/commit/efa647a125dd698413a7cf6813b8e36881a06f91))
+
 ## [8.0.10](https://github.com/nodemailer/nodemailer/compare/v8.0.9...v8.0.10) (2026-05-29)
 
 

package/CLAUDE.md

@@ -50,6 +50,7 @@ Conventional Commit prefixes used in this repo: `fix:`, `feat:`, `chore:`, `docs
 ## Security
 
 This is a widely-deployed library — security-sensitive changes get extra scrutiny:
+
 - SMTP command injection: any user-controllable value that flows into a written SMTP command (envelope addresses, sizes, the `name`/EHLO option, headers) must be CRLF-stripped or rejected at the boundary. Sanitize at the assignment, not at every call site.
 - Server reply parsing in `lib/smtp-connection/index.js` uses a `'binary'` byte-container intermediate to reassemble multi-byte UTF-8 across socket chunks; the actual decode happens at line boundaries via `decodeServerResponse`. Don't change the chunk-buffering encoding without understanding why.
 - Reference the GHSA ID in commit messages for advisories.

package/SECURITY.md

@@ -26,8 +26,7 @@ Report privately through one of the following channels:
 
 1. **GitHub Security Advisories (preferred).** Open a private report at
    <https://github.com/nodemailer/nodemailer/security/advisories/new>. This keeps
-   the discussion private until a fix is published and lets us coordinate a CVE
-   and credit you.
+   the discussion private until a fix is published and lets us credit you.
 2. **Email.** Send details to **andris@reinman.eu** (the contact listed in
    [`SECURITY.txt`](SECURITY.txt)). Encrypt sensitive details if possible.
 
@@ -44,7 +43,14 @@ When reporting, please include as much of the following as you can:
 Nodemailer is maintained by a single person, so there is no guaranteed response
 time — sometimes reports are handled within hours, sometimes they take longer.
 Accepted issues are fixed in a new release and coordinated through a GitHub
-Security Advisory / CVE, and reporters who wish to be named are credited.
+Security Advisory, and reporters who wish to be named are credited.
+
+## CVEs
+
+We track and disclose vulnerabilities through GitHub Security Advisories. We do
+not request or manage CVE identifiers ourselves. If you need a CVE assigned for a
+reported issue, please request one yourself — for example, through GitHub's own
+CVE request flow on the published advisory, or another CNA.
 
 ## Scope
 

package/lib/mail-composer/index.js

@@ -83,7 +83,7 @@ class MailComposer {
      * @returns {Object} An object of arrays (`related` and `attached`)
      */
     getAttachments(findRelated) {
-        let icalEvent, eventObject;
+        let eventObject;
         const attachments = [].concat(this.mail.attachments || []).map((attachment, i) => {
             if (/^data:/i.test(attachment.path || attachment.href)) {
                 attachment = this._processDataUrl(attachment);
@@ -160,18 +160,7 @@ class MailComposer {
         });
 
         if (this.mail.icalEvent) {
-            if (
-                typeof this.mail.icalEvent === 'object' &&
-                (this.mail.icalEvent.content || this.mail.icalEvent.path || this.mail.icalEvent.href || this.mail.icalEvent.raw)
-            ) {
-                icalEvent = this.mail.icalEvent;
-            } else {
-                icalEvent = {
-                    content: this.mail.icalEvent
-                };
-            }
-
-            eventObject = Object.assign({}, icalEvent);
+            eventObject = Object.assign({}, this._getIcalEvent());
 
             eventObject.contentType = 'application/ics';
             if (!eventObject.headers) {
@@ -195,6 +184,67 @@ class MailComposer {
         };
     }
 
+    /**
+     * Returns the icalEvent value with `path`/`href`/data uri input normalized into
+     * a `content` entry, the same way as for regular attachments. The same event is
+     * included twice (as a text/calendar alternative and as an application/ics
+     * attachment), so the shared content object is marked to be resolved just once
+     * and the buffered result is reused by the second node.
+     *
+     * @returns {Object} Normalized icalEvent data
+     */
+    _getIcalEvent() {
+        if (!this._icalEvent) {
+            let icalEvent;
+            if (
+                typeof this.mail.icalEvent === 'object' &&
+                (this.mail.icalEvent.content || this.mail.icalEvent.path || this.mail.icalEvent.href || this.mail.icalEvent.raw)
+            ) {
+                icalEvent = Object.assign({}, this.mail.icalEvent);
+            } else {
+                icalEvent = {
+                    content: this.mail.icalEvent
+                };
+            }
+
+            if (/^data:/i.test(icalEvent.path || icalEvent.href)) {
+                icalEvent = this._processDataUrl(icalEvent);
+            }
+
+            if (/^https?:\/\//i.test(icalEvent.path)) {
+                icalEvent.href = icalEvent.path;
+                icalEvent.path = undefined;
+            }
+
+            if (!icalEvent.raw) {
+                // map file path and URL values into `content`, otherwise the content
+                // nodes would render an empty body
+                if (icalEvent.path) {
+                    icalEvent.content = {
+                        path: icalEvent.path
+                    };
+                    icalEvent.path = undefined;
+                } else if (icalEvent.href) {
+                    icalEvent.content = {
+                        href: icalEvent.href,
+                        httpHeaders: icalEvent.httpHeaders
+                    };
+                    icalEvent.href = undefined;
+                }
+            }
+
+            if (icalEvent.content && typeof icalEvent.content === 'object') {
+                // we are going to have the same attachment twice, so mark this to be
+                // resolved just once
+                icalEvent.content._resolve = true;
+            }
+
+            this._icalEvent = icalEvent;
+        }
+
+        return this._icalEvent;
+    }
+
     /**
      * List alternatives. Resulting objects can be used as input for MimeNode nodes
      *
@@ -202,7 +252,7 @@ class MailComposer {
      */
     getAlternatives() {
         const alternatives = [];
-        let text, html, watchHtml, amp, icalEvent, eventObject;
+        let text, html, watchHtml, amp, eventObject;
 
         if (this.mail.text) {
             if (
@@ -248,24 +298,7 @@ class MailComposer {
 
         // NB! when including attachments with a calendar alternative you might end up in a blank screen on some clients
         if (this.mail.icalEvent) {
-            if (
-                typeof this.mail.icalEvent === 'object' &&
-                (this.mail.icalEvent.content || this.mail.icalEvent.path || this.mail.icalEvent.href || this.mail.icalEvent.raw)
-            ) {
-                icalEvent = this.mail.icalEvent;
-            } else {
-                icalEvent = {
-                    content: this.mail.icalEvent
-                };
-            }
-
-            eventObject = Object.assign({}, icalEvent);
-
-            if (eventObject.content && typeof eventObject.content === 'object') {
-                // we are going to have the same attachment twice, so mark this to be
-                // resolved just once
-                eventObject.content._resolve = true;
-            }
+            eventObject = Object.assign({}, this._getIcalEvent());
 
             eventObject.filename = false;
             eventObject.contentType =

package/lib/mailer/mail-message.js

@@ -281,7 +281,11 @@ class MailMessage {
                                     comment = mimeFuncs.encodeWord(comment);
                                 }
 
-                                return (value.comment ? comment + ' ' : '') + this._formatListUrl(value.url).replace(/^<[^:]+\/{,2}/, '');
+                                // List-ID expects a bare domain-like identifier, so strip the
+                                // scheme prefix that _formatListUrl adds or passes through
+                                return (
+                                    (value.comment ? comment + ' ' : '') + this._formatListUrl(value.url).replace(/^<[^:]+:\/{0,2}/, '<')
+                                );
                             }
 
                             // List-*: <http://domain> (comment)

package/lib/mime-funcs/mime-types.js

@@ -2087,7 +2087,7 @@ module.exports = {
         if (!mimeType) {
             return defaultExtension;
         }
-        const parts = (mimeType || '').toLowerCase().trim().split('/');
+        const parts = mimeType.toLowerCase().trim().split('/');
         const rootType = parts.shift().trim();
         const subType = parts.join('/').trim();
 

package/lib/nodemailer.js

@@ -147,11 +147,20 @@ module.exports.getTestMessageUrl = function (info) {
     }
 
     const infoProps = new Map();
-    info.response.replace(/\[([^\]]+)\]$/, (m, props) => {
-        props.replace(/\b([A-Z0-9]+)=([^\s]+)/g, (m, key, value) => {
-            infoProps.set(key, value);
-        });
-    });
+
+    // Extract the trailing "[...]" part of the response (no "]" allowed inside)
+    // with linear string scanning; the equivalent regex /\[([^\]]+)\]$/ was
+    // flagged for polynomial backtracking on adversarial server responses
+    const response = info.response.toString();
+    if (response.length > 2 && response.charAt(response.length - 1) === ']') {
+        const open = response.indexOf('[', response.lastIndexOf(']', response.length - 2) + 1);
+        if (open >= 0 && open < response.length - 2) {
+            const props = response.substring(open + 1, response.length - 1);
+            props.replace(/\b([A-Z0-9]+)=([^\s]+)/g, (m, key, value) => {
+                infoProps.set(key, value);
+            });
+        }
+    }
 
     if (infoProps.has('STATUS') && infoProps.has('MSGID')) {
         return (testAccount.web || ETHEREAL_WEB) + '/message/' + infoProps.get('MSGID');

package/lib/sendmail-transport/index.js

@@ -4,6 +4,8 @@ const { spawn } = require('child_process');
 const packageData = require('../../package.json');
 const shared = require('../shared');
 const errors = require('../errors');
+const LeWindows = require('../mime-node/le-windows');
+const LeUnix = require('../mime-node/le-unix');
 
 /**
  * Generates a Transport object for Sendmail
@@ -46,6 +48,8 @@ class SendmailTransport {
                 this.args = options.args;
             }
         }
+
+        this.winbreak = ['win', 'windows', 'dos', '\r\n'].includes((options.newline || '').toString().toLowerCase());
     }
 
     /**
@@ -178,7 +182,15 @@ class SendmailTransport {
             );
 
             const sourceStream = mail.message.createReadStream();
-            sourceStream.once('error', err => {
+            let stream = sourceStream;
+            if (this.options.newline) {
+                // apply the transport-level line ending transform; the message-level
+                // `newline` option is handled by MimeNode in createReadStream()
+                stream = sourceStream.pipe(this.winbreak ? new LeWindows() : new LeUnix());
+                sourceStream.once('error', err => stream.emit('error', err));
+            }
+
+            stream.once('error', err => {
                 this.logger.error(
                     {
                         err,
@@ -193,7 +205,7 @@ class SendmailTransport {
                 callback(err);
             });
 
-            sourceStream.pipe(sendmail.stdin);
+            stream.pipe(sendmail.stdin);
         } else {
             const err = new Error('sendmail was not found');
             err.code = errors.ESENDMAIL;

package/lib/ses-transport/index.js

@@ -3,9 +3,22 @@
 const EventEmitter = require('events');
 const packageData = require('../../package.json');
 const shared = require('../shared');
+const errors = require('../errors');
 const LeWindows = require('../mime-node/le-windows');
 const MimeNode = require('../mime-node');
 
+/**
+ * Tags AWS SDK rejections that carry no `code` property (SDK v3 errors only
+ * have a `name`) with the generic SES transport error code, keeping the
+ * original error object intact
+ */
+function tagSesError(err) {
+    if (err && typeof err === 'object' && !err.code) {
+        err.code = errors.ESES;
+    }
+    return err;
+}
+
 /**
  * Generates a Transport object for AWS SES
  *
@@ -157,6 +170,7 @@ class SESTransport extends EventEmitter {
                             });
                         })
                         .catch(err => {
+                            tagSesError(err);
                             this.logger.error(
                                 {
                                     err,
@@ -188,7 +202,7 @@ class SESTransport extends EventEmitter {
 
         const cb = err => {
             if (err && !['InvalidParameterValue', 'MessageRejected'].includes(err.code || err.Code || err.name)) {
-                return callback(err);
+                return callback(tagSesError(err));
             }
             return callback(null, true);
         };
@@ -205,15 +219,13 @@ class SESTransport extends EventEmitter {
             }
         };
 
-        this.getRegion((err, region) => {
-            if (err || !region) {
-                region = 'us-east-1';
-            }
-
+        // the region value is not used for anything when verifying, but the lookup
+        // exercises the client configuration the same way as send() does
+        this.getRegion(() => {
             const command = new this.ses.SendEmailCommand(sesMessage);
             const sendPromise = this.ses.sesClient.send(command);
 
-            sendPromise.then(data => cb(null, data)).catch(err => cb(err));
+            sendPromise.then(() => cb(null)).catch(err => cb(err));
         });
 
         return promise;

package/lib/shared/index.js

@@ -530,6 +530,12 @@ module.exports.resolveContent = (data, key, options, callback) => {
         });
     }
 
+    resolveContentValue(data, key, options, callback);
+
+    return promise;
+};
+
+function resolveContentValue(data, key, options, callback) {
     let content = (data && data[key] && data[key].content) || data[key];
     const encoding = ((typeof data[key] === 'object' && data[key].encoding) || 'utf8')
         .toString()
@@ -567,10 +573,7 @@ module.exports.resolveContent = (data, key, options, callback) => {
         } else if (/^data:/i.test(content.path || content.href)) {
             const parsedDataUri = module.exports.parseDataURI(content.path || content.href);
 
-            if (!parsedDataUri || !parsedDataUri.data) {
-                return callback(null, Buffer.from(0));
-            }
-            return callback(null, parsedDataUri.data);
+            return callback(null, parsedDataUri && parsedDataUri.data ? parsedDataUri.data : Buffer.alloc(0));
         } else if (content.path) {
             if (options.disableFileAccess) {
                 return setImmediate(() => {
@@ -589,9 +592,7 @@ module.exports.resolveContent = (data, key, options, callback) => {
 
     // default action, return as is
     setImmediate(() => callback(null, content));
-
-    return promise;
-};
+}
 
 /**
  * Copies properties from source objects to target objects

package/lib/smtp-connection/index.js

@@ -51,9 +51,9 @@ function decodeServerResponse(str) {
  *  * **requireTLS** - forces the client to use STARTTLS
  *  * **name** - the name of the client server
  *  * **localAddress** - outbound address to bind to (see: http://nodejs.org/api/net.html#net_net_connect_options_connectionlistener)
- *  * **greetingTimeout** - Time to wait in ms until greeting message is received from the server (defaults to 10000)
- *  * **connectionTimeout** - how many milliseconds to wait for the connection to establish
- *  * **socketTimeout** - Time of inactivity until the connection is closed (defaults to 1 hour)
+ *  * **greetingTimeout** - Time to wait in ms until greeting message is received from the server (defaults to 30 seconds)
+ *  * **connectionTimeout** - how many milliseconds to wait for the connection to establish (defaults to 2 minutes)
+ *  * **socketTimeout** - Time of inactivity until the connection is closed (defaults to 10 minutes)
  *  * **dnsTimeout** - Time to wait in ms for the DNS requests to be resolved (defaults to 30 seconds)
  *  * **lmtp** - if true, uses LMTP instead of SMTP protocol
  *  * **logger** - bunyan compatible logger interface
@@ -838,7 +838,7 @@ class SMTPConnection extends EventEmitter {
             return;
         }
 
-        let data = (chunk || '').toString('binary');
+        let data = chunk.toString('binary');
         let lines = (this._remainder + data).split(/\r?\n/);
         let lastline;
 

package/lib/smtp-transport/index.js

@@ -71,13 +71,19 @@ class SMTPTransport extends EventEmitter {
 
     getAuth(authOpts) {
         if (!authOpts) {
+            if (this.auth && this.auth.oauth2 && this.mailer) {
+                // Transport-level auth is resolved in the constructor, before the Mail wrapper
+                // assigns `this.mailer`, so a provision callback registered with
+                // `transporter.set('oauth2_provision_cb', ...)` has to be re-checked here
+                this.auth.oauth2.provisionCallback = this.mailer.get('oauth2_provision_cb') || this.auth.oauth2.provisionCallback;
+            }
             return this.auth;
         }
 
         const authData = Object.assign(
             {},
             this.options.auth && typeof this.options.auth === 'object' ? this.options.auth : {},
-            authOpts && typeof authOpts === 'object' ? authOpts : {}
+            typeof authOpts === 'object' ? authOpts : {}
         );
 
         if (Object.keys(authData).length === 0) {

package/lib/stream-transport/index.js

@@ -2,6 +2,8 @@
 
 const packageData = require('../../package.json');
 const shared = require('../shared');
+const LeWindows = require('../mime-node/le-windows');
+const LeUnix = require('../mime-node/le-unix');
 
 /**
  * Generates a Transport object for streaming
@@ -63,6 +65,13 @@ class StreamTransport {
 
             try {
                 stream = mail.message.createReadStream();
+                if (this.options.newline) {
+                    // apply the transport-level line ending transform; the message-level
+                    // `newline` option is handled by MimeNode in createReadStream()
+                    const sourceStream = stream;
+                    stream = sourceStream.pipe(this.winbreak ? new LeWindows() : new LeUnix());
+                    sourceStream.once('error', err => stream.emit('error', err));
+                }
             } catch (E) {
                 this.logger.error(
                     {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "nodemailer",
-    "version": "8.0.10",
+    "version": "8.0.11",
     "description": "Easy as cake e-mail sending from your Node.js applications",
     "main": "lib/nodemailer.js",
     "scripts": {
@@ -27,19 +27,19 @@
     },
     "homepage": "https://nodemailer.com/",
     "devDependencies": {
-        "@aws-sdk/client-sesv2": "3.1037.0",
+        "@aws-sdk/client-sesv2": "3.1065.0",
         "bunyan": "1.8.15",
         "c8": "11.0.0",
-        "eslint": "10.2.1",
+        "eslint": "10.4.1",
         "eslint-config-prettier": "10.1.8",
-        "globals": "17.5.0",
+        "globals": "17.6.0",
         "libbase64": "1.3.0",
         "libmime": "5.3.8",
         "libqp": "2.1.1",
-        "prettier": "3.8.3",
+        "prettier": "3.8.4",
         "proxy": "1.0.2",
         "proxy-test-server": "1.0.0",
-        "smtp-server": "3.18.4"
+        "smtp-server": "3.18.5"
     },
     "engines": {
         "node": ">=6.0.0"