From 74820f26122b20e5131e8c9ab3a3d19b89e5da10 Mon Sep 17 00:00:00 2001
From: pddivine <pddivine@gmail.com>
Date: Wed, 24 Jun 2026 15:51:28 -0700
Subject: [PATCH] fix(deps): bump nodemailer to ^9.0.1

Resolves three high-severity advisories in nodemailer <=9.0.0:

- GHSA-p6gq-j5cr-w38f: SMTP command injection via unsanitized envelope.size
- CRLF injection via Transport name option (EHLO/HELO)
- CRLF injection in List-* header comments

Closes #476.

Breaking changes between v7 and v9 were reviewed; neither affects this
library's usage:

- v8 renamed error code `NoAuth` to `ENOAUTH` (not referenced here).
- v9 enables TLS certificate validation by default when fetching remote
  content (attachments, OAuth2, proxy CONNECT). This library does not
  configure those code paths itself; consumers who rely on lax TLS can
  opt out per request via tls.rejectUnauthorized=false.

All 29 ava tests pass and lint is clean.
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 9cae455..9972a1c 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,7 @@
     "html-to-text": "^9.0.5",
     "juice": "^11.0.3",
     "lodash": "^4.17.21",
-    "nodemailer": "^7.0.12"
+    "nodemailer": "^9.0.1"
   },
   "devDependencies": {
     "@commitlint/cli": "^19.3.0",