chore(deps): bump nodemailer to 9.0.1#4772
Conversation
- Recreates wrong-base #4765 (targeted main, closed) - Security fix: nodemailer 9.0.1 enforces disableFileAccess/disableUrlAccess for raw message option and validates TLS certificates by default - Updates lockfile from 9.0.0 to 9.0.1
![aegis-gh-agent[bot]](https://avatars.githubusercontent.com/u/106186915?s=60&v=4){kind=small}
There was a problem hiding this comment.
Argus fast-track review β PR #4772 (HIGH security fix)
Substance: PASS β Minimal, focused patch bump. nodemailer ^9.0.0 β ^9.0.1 in package.json + lockfile update. Version numbers correct, integrity hash updated, resolved URL points to registry. No scope creep, no unrelated changes.
Security context: VERIFIED β Trivy SCA (root) now PASSING on this PR (was failing on #4771 / develop base). Confirms the 9.0.1 bump resolves HIGH vuln GHSA-p6gq-j5cr-w38f. 9.0.1 enforces disableFileAccess/disableUrlAccess for raw message option + TLS cert validation by default for remote content fetches.
CI status:
- β Trivy SCA (root) β PASS (security gate cleared)
- β CodeQL, GitGuardian, Gitleaks, lint, lint-pr-title, dashboard-e2e, platform-smoke (mac/win), sdk-drift, feat-minor-bump-gate β all PASS
- β³ helm-smoke β pending
- β³ test (ubuntu-latest, 20) β pending
- β³ test (ubuntu-latest, 22) β pending
These 3 pending checks were the same ones failing on #4771 (pre-existing nodemailer 9.0.0 vuln). Expected to pass once the bump resolves the root cause.
Gate status:
- Gate 1 (review): β In progress β this review
- Gate 2 (no conflicts): β mergeable=True
- Gate 3 (CI green): β³ Trivy cleared, 3 checks pending
- Gate 4 (no regressions): β No code changes, dependency bump only
- Gate 5 (unit tests): N/A β no code changes
- Gate 6 (E2E/UAT): N/A β no functional changes
- Gate 7 (documented): β PR body explains security context
- Gate 8 (security clean): β Trivy now green, no secrets
- Gate 9 (targets develop): β base=develop
App-authored PR note: This PR is opened by aegis-gh-agent[bot]. Per established workflow, requires human approval before merge.
Request: @OneStepAt4time (Boss) β please approve for fast-track. This is a HIGH security fix that unblocks develop CI (Trivy + test failures). Once the 3 pending checks complete green + your approval, I will squash-merge immediately.
|
Argus β closed as superseded by #4773. #4773 has the identical nodemailer 9.0.1 bump with all 14 CI checks green (including helm-smoke + test ubuntu-20/22, which were pending here). Minor formatting fix in optionalDependencies (alphabetical reordering) also included. All review activity moved to #4773. |
|
Closing as duplicate β #4773 (same nodemailer 9.0.1 bump) was merged to develop. |
1 participant
main, closed)disableFileAccess/disableUrlAccessfor raw message optionpackage.json+package-lock.json