diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index 252edc33..83c29c97 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -185,9 +185,9 @@ } }, "node_modules/minimatch": { - "version": "3.1.3", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.3.tgz", - "integrity": "sha512-M2GCs7Vk83NxkUyQV1bkABc4yxgz9kILhHImZiBPAZ9ybuvCb0/H7lEl5XvIg3g+9d4eNotkZA5IWwYl0tibaA==", + "version": "3.1.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", + "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "license": "ISC", "dependencies": { "brace-expansion": "^1.1.7" @@ -197,9 +197,9 @@ } }, "node_modules/nodemailer": { - "version": "8.0.1", - "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.1.tgz", - "integrity": "sha512-5kcldIXmaEjZcHR6F28IKGSgpmZHaF1IXLWFTG+Xh3S+Cce4MiakLtWY+PlBU69fLbRa8HlaGIrC/QolUpHkhg==", + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.2.tgz", + "integrity": "sha512-zbj002pZAIkWQFxyAaqoxvn+zoIwRnS40hgjqTXudKOOJkiFFgBeNqjgD3/YCR12sZnrghWYBY+yP1ZucdDRpw==", "license": "MIT-0", "engines": { "node": ">=6.0.0" diff --git a/node_modules/minimatch/README.md b/node_modules/minimatch/README.md index 33ede1d6..60d88502 100644 --- a/node_modules/minimatch/README.md +++ b/node_modules/minimatch/README.md @@ -10,6 +10,43 @@ This is the matching library used internally by npm. It works by converting glob expressions into JavaScript `RegExp` objects. +## Important Security Consideration! + +> [!WARNING] +> This library uses JavaScript regular expressions. Please read +> the following warning carefully, and be thoughtful about what +> you provide to this library in production systems. + +_Any_ library in JavaScript that deals with matching string +patterns using regular expressions will be subject to +[ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) +if the pattern is generated using untrusted input. + +Efforts have been made to mitigate risk as much as is feasible in +such a library, providing maximum recursion depths and so forth, +but these measures can only ultimately protect against accidents, +not malice. A dedicated attacker can _always_ find patterns that +cannot be defended against by a bash-compatible glob pattern +matching system that uses JavaScript regular expressions. + +To be extremely clear: + +> [!WARNING] +> **If you create a system where you take user input, and use +> that input as the source of a Regular Expression pattern, in +> this or any extant glob matcher in JavaScript, you will be +> pwned.** + +A future version of this library _may_ use a different matching +algorithm which does not exhibit backtracking problems. If and +when that happens, it will likely be a sweeping change, and those +improvements will **not** be backported to legacy versions. + +In the near term, it is not reasonable to continue to play +whack-a-mole with security advisories, and so any future ReDoS +reports will be considered "working as intended", and resolved +entirely by this warning. + ## Usage ```javascript diff --git a/node_modules/minimatch/minimatch.js b/node_modules/minimatch/minimatch.js index 46ede8dd..2e4a058a 100644 --- a/node_modules/minimatch/minimatch.js +++ b/node_modules/minimatch/minimatch.js @@ -142,6 +142,8 @@ function Minimatch (pattern, options) { } this.options = options + this.maxGlobstarRecursion = options.maxGlobstarRecursion !== undefined + ? options.maxGlobstarRecursion : 200 this.set = [] this.pattern = pattern this.regexp = null @@ -787,19 +789,163 @@ Minimatch.prototype.match = function match (f, partial) { // out of pattern, then that's fine, as long as all // the parts match. Minimatch.prototype.matchOne = function (file, pattern, partial) { - var options = this.options + if (pattern.indexOf(GLOBSTAR) !== -1) { + return this._matchGlobstar(file, pattern, partial, 0, 0) + } + return this._matchOne(file, pattern, partial, 0, 0) +} - this.debug('matchOne', - { 'this': this, file: file, pattern: pattern }) +Minimatch.prototype._matchGlobstar = function (file, pattern, partial, fileIndex, patternIndex) { + var i - this.debug('matchOne', file.length, pattern.length) + // find first globstar from patternIndex + var firstgs = -1 + for (i = patternIndex; i < pattern.length; i++) { + if (pattern[i] === GLOBSTAR) { firstgs = i; break } + } - for (var fi = 0, - pi = 0, - fl = file.length, - pl = pattern.length - ; (fi < fl) && (pi < pl) - ; fi++, pi++) { + // find last globstar + var lastgs = -1 + for (i = pattern.length - 1; i >= 0; i--) { + if (pattern[i] === GLOBSTAR) { lastgs = i; break } + } + + var head = pattern.slice(patternIndex, firstgs) + var body = partial ? pattern.slice(firstgs + 1) : pattern.slice(firstgs + 1, lastgs) + var tail = partial ? [] : pattern.slice(lastgs + 1) + + // check the head + if (head.length) { + var fileHead = file.slice(fileIndex, fileIndex + head.length) + if (!this._matchOne(fileHead, head, partial, 0, 0)) { + return false + } + fileIndex += head.length + } + + // check the tail + var fileTailMatch = 0 + if (tail.length) { + if (tail.length + fileIndex > file.length) return false + + var tailStart = file.length - tail.length + if (this._matchOne(file, tail, partial, tailStart, 0)) { + fileTailMatch = tail.length + } else { + // affordance for stuff like a/**/* matching a/b/ + if (file[file.length - 1] !== '' || + fileIndex + tail.length === file.length) { + return false + } + tailStart-- + if (!this._matchOne(file, tail, partial, tailStart, 0)) { + return false + } + fileTailMatch = tail.length + 1 + } + } + + // if body is empty (single ** between head and tail) + if (!body.length) { + var sawSome = !!fileTailMatch + for (i = fileIndex; i < file.length - fileTailMatch; i++) { + var f = String(file[i]) + sawSome = true + if (f === '.' || f === '..' || + (!this.options.dot && f.charAt(0) === '.')) { + return false + } + } + return partial || sawSome + } + + // split body into segments at each GLOBSTAR + var bodySegments = [[[], 0]] + var currentBody = bodySegments[0] + var nonGsParts = 0 + var nonGsPartsSums = [0] + for (var bi = 0; bi < body.length; bi++) { + var b = body[bi] + if (b === GLOBSTAR) { + nonGsPartsSums.push(nonGsParts) + currentBody = [[], 0] + bodySegments.push(currentBody) + } else { + currentBody[0].push(b) + nonGsParts++ + } + } + + var idx = bodySegments.length - 1 + var fileLength = file.length - fileTailMatch + for (var si = 0; si < bodySegments.length; si++) { + bodySegments[si][1] = fileLength - + (nonGsPartsSums[idx--] + bodySegments[si][0].length) + } + + return !!this._matchGlobStarBodySections( + file, bodySegments, fileIndex, 0, partial, 0, !!fileTailMatch + ) +} + +// return false for "nope, not matching" +// return null for "not matching, cannot keep trying" +Minimatch.prototype._matchGlobStarBodySections = function ( + file, bodySegments, fileIndex, bodyIndex, partial, globStarDepth, sawTail +) { + var bs = bodySegments[bodyIndex] + if (!bs) { + // just make sure there are no bad dots + for (var i = fileIndex; i < file.length; i++) { + sawTail = true + var f = file[i] + if (f === '.' || f === '..' || + (!this.options.dot && f.charAt(0) === '.')) { + return false + } + } + return sawTail + } + + var body = bs[0] + var after = bs[1] + while (fileIndex <= after) { + var m = this._matchOne( + file.slice(0, fileIndex + body.length), + body, + partial, + fileIndex, + 0 + ) + // if limit exceeded, no match. intentional false negative, + // acceptable break in correctness for security. + if (m && globStarDepth < this.maxGlobstarRecursion) { + var sub = this._matchGlobStarBodySections( + file, bodySegments, + fileIndex + body.length, bodyIndex + 1, + partial, globStarDepth + 1, sawTail + ) + if (sub !== false) { + return sub + } + } + var f = file[fileIndex] + if (f === '.' || f === '..' || + (!this.options.dot && f.charAt(0) === '.')) { + return false + } + fileIndex++ + } + return partial || null +} + +Minimatch.prototype._matchOne = function (file, pattern, partial, fileIndex, patternIndex) { + var fi, pi, fl, pl + for ( + fi = fileIndex, pi = patternIndex, fl = file.length, pl = pattern.length + ; (fi < fl) && (pi < pl) + ; fi++, pi++ + ) { this.debug('matchOne loop') var p = pattern[pi] var f = file[fi] @@ -809,87 +955,7 @@ Minimatch.prototype.matchOne = function (file, pattern, partial) { // should be impossible. // some invalid regexp stuff in the set. /* istanbul ignore if */ - if (p === false) return false - - if (p === GLOBSTAR) { - this.debug('GLOBSTAR', [pattern, p, f]) - - // "**" - // a/**/b/**/c would match the following: - // a/b/x/y/z/c - // a/x/y/z/b/c - // a/b/x/b/x/c - // a/b/c - // To do this, take the rest of the pattern after - // the **, and see if it would match the file remainder. - // If so, return success. - // If not, the ** "swallows" a segment, and try again. - // This is recursively awful. - // - // a/**/b/**/c matching a/b/x/y/z/c - // - a matches a - // - doublestar - // - matchOne(b/x/y/z/c, b/**/c) - // - b matches b - // - doublestar - // - matchOne(x/y/z/c, c) -> no - // - matchOne(y/z/c, c) -> no - // - matchOne(z/c, c) -> no - // - matchOne(c, c) yes, hit - var fr = fi - var pr = pi + 1 - if (pr === pl) { - this.debug('** at the end') - // a ** at the end will just swallow the rest. - // We have found a match. - // however, it will not swallow /.x, unless - // options.dot is set. - // . and .. are *never* matched by **, for explosively - // exponential reasons. - for (; fi < fl; fi++) { - if (file[fi] === '.' || file[fi] === '..' || - (!options.dot && file[fi].charAt(0) === '.')) return false - } - return true - } - - // ok, let's see if we can swallow whatever we can. - while (fr < fl) { - var swallowee = file[fr] - - this.debug('\nglobstar while', file, fr, pattern, pr, swallowee) - - // XXX remove this slice. Just pass the start index. - if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) { - this.debug('globstar found match!', fr, fl, swallowee) - // found a match. - return true - } else { - // can't swallow "." or ".." ever. - // can only swallow ".foo" when explicitly asked. - if (swallowee === '.' || swallowee === '..' || - (!options.dot && swallowee.charAt(0) === '.')) { - this.debug('dot detected!', file, fr, pattern, pr) - break - } - - // ** swallows a segment, and continue. - this.debug('globstar swallow a segment, and continue') - fr++ - } - } - - // no match was found. - // However, in partial mode, we can't say this is necessarily over. - // If there's more *pattern* left, then - /* istanbul ignore if */ - if (partial) { - // ran out of file - this.debug('\n>>> no match, partial?', file, fr, pattern, pr) - if (fr === fl) return true - } - return false - } + if (p === false || p === GLOBSTAR) return false // something other than ** // non-magic patterns just have to match exactly @@ -906,17 +972,6 @@ Minimatch.prototype.matchOne = function (file, pattern, partial) { if (!hit) return false } - // Note: ending in / means that we'll get a final "" - // at the end of the pattern. This can only match a - // corresponding "" at the end of the file. - // If the file ends in /, then it can only match a - // a pattern that ends in /, unless the pattern just - // doesn't have any more for it. But, a/b/ should *not* - // match "a/b/*", even though "" matches against the - // [^/]*? pattern, except in partial mode, where it might - // simply not be reached yet. - // However, a/b/ should still satisfy a/* - // now either we fell off the end of the pattern, or we're done. if (fi === fl && pi === pl) { // ran out of pattern and filename at the same time. diff --git a/node_modules/minimatch/package.json b/node_modules/minimatch/package.json index 89f50668..563d2184 100644 --- a/node_modules/minimatch/package.json +++ b/node_modules/minimatch/package.json @@ -2,7 +2,7 @@ "author": "Isaac Z. Schlueter (http://blog.izs.me)", "name": "minimatch", "description": "a glob matcher in javascript", - "version": "3.1.3", + "version": "3.1.5", "publishConfig": { "tag": "legacy-v3" }, diff --git a/node_modules/nodemailer/CHANGELOG.md b/node_modules/nodemailer/CHANGELOG.md index 49a2049e..410ff412 100644 --- a/node_modules/nodemailer/CHANGELOG.md +++ b/node_modules/nodemailer/CHANGELOG.md @@ -1,5 +1,12 @@ # CHANGELOG +## [8.0.2](https://github.com/nodemailer/nodemailer/compare/v8.0.1...v8.0.2) (2026-03-09) + + +### Bug Fixes + +* merge fragmented display names with unquoted commas in addressparser ([fe27f7f](https://github.com/nodemailer/nodemailer/commit/fe27f7fd57f7587d897274438da2f628ad0ad7d9)) + ## [8.0.1](https://github.com/nodemailer/nodemailer/compare/v8.0.0...v8.0.1) (2026-02-07) diff --git a/node_modules/nodemailer/lib/addressparser/index.js b/node_modules/nodemailer/lib/addressparser/index.js index 9c099b41..25ea9502 100644 --- a/node_modules/nodemailer/lib/addressparser/index.js +++ b/node_modules/nodemailer/lib/addressparser/index.js @@ -361,6 +361,20 @@ function addressparser(str, options) { } }); + // Merge fragments from unquoted display names containing commas/semicolons. + // When "Joe Foo, PhD " is split on the comma, it produces + // [{name:"Joe Foo", address:""}, {name:"PhD", address:"joe@example.com"}]. + // Detect this pattern and recombine: a name-only entry followed by an entry + // that has both a name and an address (from angle-bracket notation). + for (let i = parsedAddresses.length - 2; i >= 0; i--) { + let current = parsedAddresses[i]; + let next = parsedAddresses[i + 1]; + if (current.address === '' && current.name && !current.group && next.address && next.name && !next.group) { + next.name = current.name + ', ' + next.name; + parsedAddresses.splice(i, 1); + } + } + if (options.flatten) { let addresses = []; let walkAddressList = list => { diff --git a/node_modules/nodemailer/package.json b/node_modules/nodemailer/package.json index 020e4d16..ca950381 100644 --- a/node_modules/nodemailer/package.json +++ b/node_modules/nodemailer/package.json @@ -1,6 +1,6 @@ { "name": "nodemailer", - "version": "8.0.1", + "version": "8.0.2", "description": "Easy as cake e-mail sending from your Node.js applications", "main": "lib/nodemailer.js", "scripts": { @@ -26,12 +26,12 @@ }, "homepage": "https://nodemailer.com/", "devDependencies": { - "@aws-sdk/client-sesv2": "3.985.0", + "@aws-sdk/client-sesv2": "3.1004.0", "bunyan": "1.8.15", - "c8": "10.1.3", - "eslint": "10.0.0", + "c8": "11.0.0", + "eslint": "10.0.3", "eslint-config-prettier": "10.1.8", - "globals": "17.3.0", + "globals": "17.4.0", "libbase64": "1.3.0", "libmime": "5.3.7", "libqp": "2.1.1",