Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodemailer/nodemailer
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v8.0.4
Choose a base ref
...
head repository: nodemailer/nodemailer
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v8.0.5
Choose a head ref
  • 5 commits
  • 7 files changed
  • 3 contributors

Commits on Apr 7, 2026

  1. chore: update dev dependencies 

    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    @andris9 @claude
    andris9 and claude committed Apr 7, 2026
    Configuration menu
    Copy the full SHA
    08e59e6 View commit details
    Browse the repository at this point in the history

  2. fix: sanitize CRLF in transport name option to prevent SMTP command i… 

    …njection (GHSA-vvjj-xcjg-gr5g)

The transport `name` option flowed unsanitized into EHLO/HELO/LHLO
commands at lib/smtp-connection/index.js:1333, 1336, 1384, 1517, and
1520, allowing CRLF injection of arbitrary SMTP commands at connection
setup (before authentication). Sanitize at the assignment so all five
call sites — including the post-STARTTLS re-handshake — read a CRLF-free
value.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    @andris9 @claude
    andris9 and claude committed Apr 7, 2026
    Configuration menu
    Copy the full SHA
    0a43876 View commit details
    Browse the repository at this point in the history

  3. fix: decode SMTP server responses as UTF-8 at line boundary 

    Server replies were stored as a fake 8-bit byte container by _onData
(via chunk.toString('binary'), which is byte-identity decoding required
for correct multi-byte reassembly across socket chunks) and that view
leaked unchanged into err.response, err.message, info.response, and
lastServerResponse. UTF-8 reply text from modern MTAs reached callers
as mojibake — visible in zone-mta bounce logs, deferred-delivery
records, and bounce email bodies sent back to original senders.

Add a decodeServerResponse helper that re-interprets the byte container
as UTF-8 with byte-preserving fallback (via U+FFFD sentinel detection),
and apply it at the two upstream boundaries in _processResponse and
_onClose. All downstream consumers (action handlers, _formatError,
_actionSMTPStream, custom auth handlers) receive the decoded value
without per-site changes. Action handler regex matches on status codes
continue to work because UTF-8 is ASCII-compatible.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    @andris9 @claude
    andris9 and claude committed Apr 7, 2026
    Configuration menu
    Copy the full SHA
    95876b1 View commit details
    Browse the repository at this point in the history

  4. docs: add CLAUDE.md with project conventions and release process 

    Document the project layout, Node 6 engine target, CommonJS/ES2017
conventions, test/lint commands, security practices for SMTP command
injection and reply decoding, and the release-please-driven release
flow so versioning, CHANGELOG.md, tags, and npm publication are never
touched manually.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    @andris9 @claude
    andris9 and claude committed Apr 7, 2026
    Configuration menu
    Copy the full SHA
    b634abf View commit details
    Browse the repository at this point in the history

  5. chore(master): release 8.0.5 (#1809) 

    Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
    @github-actions
    github-actions[bot] authored Apr 7, 2026
    Configuration menu
    Copy the full SHA
    202cfb3 View commit details
    Browse the repository at this point in the history
Loading