Update smtp-connection module version in package.json #34
Conversation
In view of vulnerability CVE-2021-23358, described at https://exchange.xforce.ibmcloud.com/vulnerabilities/198958, propose to update smtp-connection node module version to the latest, 4.0.2, as the current version 2.12.0 incorporates version 1.7.0 of the underscore module via httpntlm version 1.6.1.
|
Hi, I want to second @nihillno comments. Currently, there is a security issue with |
|
We are facing the exact same issue and haven't found a reliable solution yet. Updating the smtp-connection version should resolve the issue. Looking forward to merging this PR soon. |
|
Several issues here. First, nodemailer-smtp-transport is for very old versions of Nodemailer that is supposed to run (and is used on) on very old versions of Node (eg. v0.12). Upgrading smtp-connection breaks that support. So if you rely on this module then you should probably switch to the recent version of Nodemailer and not use nodemailer-smtp-transport at all. Anther thing is that the referenced vulnerability in underscore does not affect nodemailer-smtp-transport in any way. It makes no difference what is the version of underscore as that specific code path is never executed. |
@andris9 So, if I understand correctly we have no problem here, nothing to do? |
|
Thanks @andris9 It would be also nice to add a deprecation notice to README file. |
|
@andris9 Thanks! Didn't realize I didn't need this module. Here is a link to the documentation: https://nodemailer.com/smtp/#:~:text=%3E%20SMTP%20transport-,SMTP%20TRANSPORT,-SMTP%20is%20the |
|
updated version you can find here: |
|
shouldn't the version upped from 2.7.4 to 2.7.5, as well? |
In view of vulnerability CVE-2021-23358, described at https://exchange.xforce.ibmcloud.com/vulnerabilities/198958, propose to update smtp-connection node module version to the latest, 4.0.2, as the current version 2.12.0 incorporates version 1.7.0 of the underscore module via httpntlm version 1.6.1.