Unleash / unleash / 19845328199 / 1
86%
master: 91%

LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran
Files 1220
Run time 59s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 91.201% (+0.002%) from 91.199%
19845328199.1

push

github

web-flow 
chore(deps): update dependency nodemailer to v7.0.11 [security] (#11057)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [nodemailer](https://nodemailer.com/)
([source](https://redirect.github.com/nodemailer/nodemailer)) | [`7.0.9`
-> `7.0.11`](https://renovatebot.com/diffs/npm/nodemailer/7.0.9/7.0.11)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/nodemailer/7.0.11?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/nodemailer/7.0.9/7.0.11?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[GHSA-rcmh-qjqh-p98v](https://redirect.github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v)

### Summary
A DoS can occur that immediately halts the system due to the use of an
unsafe function.

### Details
According to **RFC 5322**, nested group structures (a group inside
another group) are not allowed. Therefore, in
lib/addressparser/index.js, the email address parser performs flattening
when nested groups appear, since such input is likely to be abnormal.
(If the address is valid, it is added as-is.) In other words, the parser
flattens all nested groups and inserts them into the final group list.
However, the code implemented for this flattening process can be
exploited by malicious input and triggers DoS

RFC 5322 uses a colon (:) to define a group, and commas (,) are used to
separate members within a group.
At the following location in lib/addressparser/index.js:


https://github.com/nodemailer/nodemailer/blob/master/lib/addressparser/index.js#L90

there is code that performs this flattening. The issue occurs when the
email address parser attempts to process the following kind of malicious
address header:

```g0: g1: g2: g3: ... gN: victim@example.com;```

Because no recursion depth limit is enforced, the parser repeatedly invokes itself in the patt... (continued)

7269 of 7319 branches covered (99.32%)

69286 of 75971 relevant lines covered (91.2%)

450.1 hits per line

Source Files on job 19845328199.1