Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

489 nodemailer smtp transport critical vulnerability fix v2 #497

Merged
merged 2 commits into from
Jan 24, 2025
Merged

489 nodemailer smtp transport critical vulnerability fix v2 #497

merged 2 commits into from
Jan 24, 2025

Conversation

sulthan-ahmed
Copy link
Contributor

Resolves nested dep vuln GHSA-cf4h-3jhx-xvhq

What?

Replaces nodemailer-smtp-transport dep with nodemailer

Why?

If you consume HOF in a project building with npm, there is a nested dependency vulnerability flagged which is ranked "Critical". The vulnerability is:

Arbitrary Code Execution in underscore - GHSA-cf4h-3jhx-xvhq

The issue is in the version of underscore which is nested within the nodemailer-smtp-transport dependency

How?

Replaces nodemailer-smtp-transport dep with nodemailer

Testing?

yarn test has been run locally, but will require testing for regressions on a real HOF project to check that emails work OK

Screenshots (optional)

N/A

Anything Else? (optional)

See linked issue for more information

Check list

  • I have reviewed my own pull request for linting issues (e.g. adding new lines)
  • I have written tests (if relevant)
  • I have created a JIRA number for my branch
  • I have created a JIRA number for my commit
  • I have followed the chris beams method for my commit https://cbea.ms/git-commit/
    here is an example commit
  • Ensure workflow jobs are passing especially tests
  • I will squash the commits before merging

robertdeniszczyc2 and others added 2 commits January 24, 2025 14:57
@robertdeniszczyc2 @sulthan-ahmed
Replace nodemailer-smtp-transport with nodemailer.
089a325 
Resolves nested dep vuln GHSA-cf4h-3jhx-xvhq
@sulthan-ahmed
Remove redundant nodemailer-smtp-transport
d5fd06c 
- Removed the nodemailer-smtp-transport dependency
as it is redundant and introduces a flagged
critical vulnerability.
- Updated CHANGELOG.md to reflect the changes.
@sulthan-ahmed
Copy link
Contributor Author

Something has gone wrong the with original PR and branch so this new one was made, the original one is here which was created by @robertdeniszczyc2 and approved by me #494 (review)

@sulthan-ahmed sulthan-ahmed merged commit 7ab6abb into master Jan 24, 2025
7 checks passed
@sulthan-ahmed sulthan-ahmed deleted the 489-nodemailer-smtp-transport-critical-vulnerability-fix-v2 branch January 24, 2025 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sulthan-ahmed @robertdeniszczyc2