node_modules: update (#297)

Co-authored-by: dawidd6 <9713907+dawidd6@users.noreply.github.com>

node_modules/nodemailer/lib/xoauth2/index.js

@@ -33,6 +33,7 @@ const errors = require('../errors');
  * @param {Number} options.expires Optional Access Token expire time in ms
  * @param {Number} options.timeout Optional TTL for Access Token in seconds
  * @param {Function} options.provisionCallback Function to run when a new access token is required
+ * @param {Object} options.tls Optional TLS options forwarded to the HTTPS token request. Defaults to strict cert validation; supply { rejectUnauthorized: false } only for self-hosted OAuth providers on private CAs.
  */
 class XOAuth2 extends Stream {
     constructor(options, logger) {
@@ -370,12 +371,23 @@ class XOAuth2 extends Stream {
         const chunks = [];
         let chunklen = 0;
 
-        const req = nmfetch(url, {
+        const fetchOptions = {
             method: 'post',
             headers: params.customHeaders,
             body: payload,
             allowErrorResponse: true
-        });
+        };
+
+        // OAuth2 token endpoints are credential-bearing. lib/fetch already
+        // validates certs by default; pin rejectUnauthorized:true here so the
+        // token fetch stays strict, while still layering params.tls (the
+        // user's options.tls) on top so callers with a self-hosted provider on
+        // a private CA can override.
+        if (/^https:/i.test(url)) {
+            fetchOptions.tls = Object.assign({ rejectUnauthorized: true }, params.tls || {});
+        }
+
+        const req = nmfetch(url, fetchOptions);
 
         req.on('readable', () => {
             let chunk;