chore(deps): bump nodemailer from 7.0.11 to 8.0.5#2781
chore(deps): bump nodemailer from 7.0.11 to 8.0.5#2781dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [nodemailer](https://github.com/nodemailer/nodemailer) from 7.0.11 to 8.0.5. - [Release notes](https://github.com/nodemailer/nodemailer/releases) - [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md) - [Commits](nodemailer/nodemailer@v7.0.11...v8.0.5) --- updated-dependencies: - dependency-name: nodemailer dependency-version: 8.0.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dosubot
bot
added
the
size:XS
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot security bump; the flagged @types/nodemailer version mismatch is a pre-existing nit with no current functional impact.
Extended reasoning...
Overview
This PR bumps nodemailer from 7.0.11 to 8.0.5 in package.json and updates pnpm-lock.yaml accordingly. The lockfile also picks up minor patch/minor bumps to several AWS SDK and @smithy packages as transitive dependency churn — none of those are direct changes from this PR.
Security risks
The upgrade itself is security-motivated: nodemailer v8.0.4 and v8.0.5 contain fixes for SMTP command injection (GHSA-vvjj-xcjg-gr5g and envelope-size sanitization). The only breaking change in v8.0.0 is an error-code rename (NoAuth → ENOAUTH) that is not referenced anywhere in this codebase. No new security surface is introduced.
The one bug flagged — @types/nodemailer still pinned to ^7.0.4 while the runtime is now ^8.0.5 — is a pre-existing dependency hygiene issue. For the APIs currently in use (createTransport with a string URL and sendMail with standard options), the type signatures are identical between v7 and v8, so there is no compile-time or runtime impact today. It is worth fixing, but it does not block merging.
Level of scrutiny
Low. This is a mechanical, Dependabot-generated version bump to a single direct dependency. The usage in the codebase is minimal (one API route using basic SMTP send). The lockfile churn is automatic and expected.
Other factors
No tests exist for the nodemailer integration (it is a server-side contact-form mailer), so CI passing is the relevant signal. The Vercel preview build was triggered. There are no outstanding reviewer comments.
| "next-sitemap": "^4.2.3", | ||
| "next-themes": "^0.4.6", | ||
| "nodemailer": "^7.0.11", | ||
| "nodemailer": "^8.0.5", |
There was a problem hiding this comment.
🟡 The @types/nodemailer package in dependencies is still pinned to ^7.0.4 while this PR bumps the runtime nodemailer to ^8.0.5 — a major version mismatch. The fix is trivial: update @types/nodemailer to ^8.0.0 to match the installed runtime.
Extended reasoning...
What the bug is and how it manifests
This PR bumps nodemailer from ^7.0.11 to ^8.0.5 in package.json, but leaves @types/nodemailer at ^7.0.4. Because semver ranges do not cross major version boundaries, the ^7.0.4 constraint will always resolve to a 7.x package and will never pick up the v8 type definitions. nodemailer v8 does not ship its own TypeScript types (no types or typings field in its package.json), so the DefinitelyTyped package is the only source of types. The runtime is v8.0.5 while TypeScript compiles against v7.x definitions — a genuine major-version mismatch.
The specific code path that triggers it
app/api/contact-sales/route.ts imports nodemailer and calls nodemailer.createTransport(smtpUrl) and transporter.sendMail({from, to, replyTo, subject, text}). TypeScript resolves the types for these calls from the installed @types/nodemailer package, which will be 7.x rather than 8.x.
Why existing code doesn't prevent it / addressing the refutation
The refuting verifier correctly points out that the only documented breaking change in nodemailer v8.0.0 is the runtime error-code rename NoAuth → ENOAUTH, which is not a type-level change and is not referenced in the codebase. For the specific APIs currently in use (createTransport with a string URL and sendMail with standard mail options), the type signatures are functionally identical between v7 and v8, meaning no TypeScript compilation error is produced today.
However, this does not make the mismatch non-existent — it makes it low-impact. Having the runtime at major version 8 and the type definitions at major version 7 is objectively incorrect. Any future code additions that use new v8-only APIs would silently use incorrect or missing type signatures, and the mismatch makes it harder to reason about the dependency graph. Dependency hygiene dictates that types packages track their corresponding runtime package's major version.
Impact
Current impact is low: no compile errors occur for the existing createTransport/sendMail usage. The risk is latent — new code using v8-specific APIs or error codes would be type-checked against stale v7 definitions without any warning.
How to fix it
In package.json, update @types/nodemailer from ^7.0.4 to ^8.0.0. Note that @types/nodemailer is currently placed in dependencies rather than devDependencies; this is a pre-existing placement issue and is separate from the version mismatch introduced by this PR.
Step-by-step proof
nodemailerruntime is resolved to8.0.5(confirmed bypnpm-lock.yaml:nodemailer@8.0.5: {}).@types/nodemaileris constrained to^7.0.4— semver range resolves to latest 7.x (e.g., 7.0.11).@types/nodemailer@8.0.0exists on npm (confirmed by verifiers via registry check).- nodemailer v8 has no bundled types (no
typesfield in package.json), so TypeScript falls back to@types/nodemailer. - Result: TypeScript uses v7.x type definitions while running v8.x code — a major-version mismatch. The
^7.0.4constraint must be changed to^8.0.0to resolve correctly.
Bumps nodemailer from 7.0.11 to 8.0.5.
Release notes
Sourced from nodemailer's releases.
... (truncated)
Changelog
Sourced from nodemailer's changelog.
... (truncated)
Commits
202cfb3chore(master): release 8.0.5 (#1809)b634abfdocs: add CLAUDE.md with project conventions and release process95876b1fix: decode SMTP server responses as UTF-8 at line boundary0a43876fix: sanitize CRLF in transport name option to prevent SMTP command injection...08e59e6chore: update dev dependencies2d31975chore(master): release 8.0.4 (#1806)2d7b971fix: sanitize envelope size to prevent SMTP command injection4e702e9chore(master): release 8.0.3 (#1804)c803d90fix: remove familySupportCache that broke DNS resolution testse8c8b92fix: fix cookie bugs, remove dead code, and improve hot-path efficiencyYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.