node_modules: update (#276)

Co-authored-by: dawidd6 <9713907+dawidd6@users.noreply.github.com>

README.md

@@ -27,54 +27,86 @@ Some features:
     #  * smtp://user:password@server:port
     #  * smtp+starttls://user:password@server:port
     connection_url: ${{secrets.MAIL_CONNECTION}}
+
     # Required mail server address if not connection_url:
     server_address: smtp.gmail.com
+
     # Server port, default 25:
     server_port: 465
+
     # Optional whether this connection use TLS (default is true if server_port is 465)
     secure: true
+
     # Optional (recommended) mail server username:
     username: ${{secrets.MAIL_USERNAME}}
+
     # Optional (recommended) mail server password:
     password: ${{secrets.MAIL_PASSWORD}}
+
     # Required mail subject:
     subject: Github Actions job result
-    # Optional recipients' addresses:
-    to: obiwan@example.com,yoda@example.com
-    # Required sender (Either: "Plain Simple Name <user@doma.in>" or just "user@doma.in" (without the <>))
-    # Important: '<' and '>' are special chars in yaml. Therefore this string should be quoted
+
+    # Optional recipients. Separate multiple addresses by a comma (possibly surrounded by whitespace):
+    to: obiwan@example.com, yoda@example.com
+
+    # Required sender (supported formats: see "Supported address formats" below)
     from: 'Luke Skywalker <user@example.com>'
+
     # Optional plain body:
     body: Build job of ${{github.repository}} completed successfully!
+
     # Optional HTML body read from file:
     html_body: file://README.html
-    # Optional carbon copy recipients:
-    cc: kyloren@example.com,leia@example.com
-    # Optional blind carbon copy recipients:
-    bcc: r2d2@example.com,hansolo@example.com
+
+    # Optional carbon copy recipients. Separate multiple addresses by a comma (possibly surrounded by whitespace):
+    cc: 'kyloren@example.com, "Her Majesty, Princess Leia" <leia@example.com>'
+
+    # Optional blind carbon copy recipients. Separate multiple addresses by a comma (possibly surrounded by whitespace):
+    bcc: r2d2@example.com, hansolo@example.com
+
     # Optional recipient of the email response:
     reply_to: luke@example.com
+
     # Optional Message ID this message is replying to:
-    in_reply_to: <random-luke@example.com>
+    in_reply_to: '<3cc627c8-6181-453b-d90b-04aae9e23b21@github.com>'
+
     # Optional unsigned/invalid certificates allowance:
     ignore_cert: true
+
     # Optional converting Markdown to HTML (set content_type to text/html too):
     convert_markdown: true
+
     # Optional attachments:
     attachments: attachments.zip,git.diff,./dist/static/*.js
+
     # Optional priority: 'high', 'normal' (default) or 'low'
     priority: low
+
     # Optional custom headers:
     headers: '{"X-Priority": "3 (Normal)", "X-My-Header": "MyValue"}'
+
     # Optional nodemailerlog: true/false
     nodemailerlog: false
-    # Optional nodemailerdebug: true/false if true lognodem will also be set true
+
+    # Optional nodemailerdebug: true/false if true nodemailerlog will also be set true
     nodemailerdebug: false
+
     # Optional custom SMTP MAIL FROM address (overrides username):
     envelope_from: mailer@example.com
-    # Optional custom SMTP RCPT TO addresses (overrides to, cc, bcc):
-    envelope_to: mailer@example.com,admin@example.com
+
+    # Optional custom SMTP RCPT TO addresses (overrides to, cc, bcc). Separate multiple addresses by a comma (possibly surrounded by whitespace):
+    envelope_to: mailer@example.com, admin@example.com
 ```
+### Remark for `envelope_from` and `envelope_to`
+
+[nodemailer](https://nodemailer.com/) (the node module that does the actual sending) requires that if the optional custom envelope is used, **both** its attributes `from` and `to` must be set. To facilitate setting only one of `envelope_from` or `envelope_to`, this action sets the other one from the regular message fields in the following way:
+
+* If only `envelope_from` is set, `envelope_to` will be set to the concatenation of `to`, `cc` and `bcc` (with duplicates removed).
+* If only `envelope_to` is set, `envelope_from` will be set to the address specified in `from`.
+
+### Supported address formats
+This action now uses nodemailer's addressparser. The supported address formats are described [here](https://nodemailer.com/message/addresses).
+Mail addresses can contain YAML special characters like '<' and '>'. To avoid YAML parsing issues, addresses that contain such characters should be enclosed in single quotes.
 
 ## Troubleshooting
 

main.js

@@ -1,4 +1,5 @@
 import nodemailer from "nodemailer";
+import addressparser from "nodemailer/lib/addressparser/index.js";
 import * as core from "@actions/core";
 import * as glob from "@actions/glob";
 import fs from "node:fs";
@@ -39,6 +40,39 @@ function sleep(ms) {
     });
 }
 
+/**
+ * Prepare an envelope object for nodemailer.
+ *
+ * If only one of envelopeFrom or envelopeTo is set, make sure that both
+ * are set in the returned object. Furthermore, make sure that the attribute 'to'
+ * is an array of email addresses, not a comma-separated string.
+ */
+function setupEnvelope(envelopeFrom, envelopeTo, from, to, cc, bcc) {
+    if (envelopeFrom || envelopeTo) {
+        // Take address in from, if envelopeFrom is not set.
+        envelopeFrom = envelopeFrom ? addressparser(envelopeFrom) : addressparser(from);
+        if (envelopeFrom.length != 1 || envelopeFrom[0].address == '') {
+            throw new Error("'envelopeFrom' address is invalid");
+        }
+        if (envelopeTo) {
+            envelopeTo = addressparser(envelopeTo);
+        } else {
+            // Take addresses in to, cc and bcc. Deduplication is handled by nodemailer.
+            for (const src of [to, cc, bcc]) {
+                if (src) {
+                    let parsed = addressparser(src);
+                    envelopeTo = envelopeTo ? envelopeTo.concat(parsed) : parsed;
+                }
+            }
+        }
+        return {
+            from: envelopeFrom,
+            to: envelopeTo,
+        };
+    }
+    return undefined;
+}
+
 async function main() {
     try {
         let serverAddress = core.getInput("server_address");
@@ -111,7 +145,8 @@ async function main() {
 
         // Basic check for an email sender address
         // Either: "Plain Simple Name <user@doma.in>" or just "user@doma.in" (without the <>)
-        if (!(/^([^<>@\s]+\s+)+<[^@\s>]+@[^@\s>]+>$/.test(from) || /^[^<>@\s]+@[^@\s<>]+$/.test(from))) {
+        let parsed = addressparser(from);
+        if (parsed.length != 1 || parsed[0].address == '') {
             throw new Error("'from' address is invalid");
         }
 
@@ -148,10 +183,7 @@ async function main() {
             proxy: process.env.HTTP_PROXY,
         });
 
-        let i = 1;
-        while (true) {
-            try {
-                const info = await transport.sendMail({
+        const messageOptions = {
             from: from,
             to: to,
             subject: getText(subject, false),
@@ -169,14 +201,13 @@ async function main() {
             attachments: attachments
                 ? await getAttachments(attachments)
                 : undefined,
-                    envelope:
-                        envelopeFrom || envelopeTo
-                            ? {
-                                  from: envelopeFrom ? envelopeFrom : undefined,
-                                  to: envelopeTo ? envelopeTo : undefined,
-                              }
-                            : undefined,
-                });
+            envelope: setupEnvelope(envelopeFrom, envelopeTo, from, to, cc, bcc),
+        };
+
+        let i = 1;
+        while (true) {
+            try {
+                const info = await transport.sendMail(messageOptions);
                 break;
             } catch (error) {
                 if (!error.message.includes("Try again later,")) {

node_modules/.package-lock.json

@@ -319,9 +319,9 @@
       }
     },
     "node_modules/undici": {
-      "version": "6.23.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
-      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
+      "integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
       "license": "MIT",
       "engines": {
         "node": ">=18.17"

node_modules/undici/docs/docs/api/Errors.md

@@ -27,6 +27,7 @@ import { errors } from 'undici'
 | `InformationalError`                 | `UND_ERR_INFO`                        | expected error with reason                                                |
 | `ResponseExceededMaxSizeError`       | `UND_ERR_RES_EXCEEDED_MAX_SIZE`       | response body exceed the max size allowed                                 |
 | `SecureProxyConnectionError`         | `UND_ERR_PRX_TLS`                     | tls connection to a proxy failed                                          |
+| `MessageSizeExceededError`           | `UND_ERR_WS_MESSAGE_SIZE_EXCEEDED`    | WebSocket decompressed message exceeded the maximum allowed size          |
 
 ### `SocketError`
 

node_modules/undici/docs/docs/api/WebSocket.md

@@ -13,6 +13,14 @@ Arguments:
 * **url** `URL | string` - The url's protocol *must* be `ws` or `wss`.
 * **protocol** `string | string[] | WebSocketInit` (optional) - Subprotocol(s) to request the server use, or a [`Dispatcher`](./Dispatcher.md).
 
+### WebSocketInit
+
+When passing an object as the second argument, the following options are available:
+
+* **protocols** `string | string[]` (optional) - Subprotocol(s) to request the server use.
+* **dispatcher** `Dispatcher` (optional) - A custom [`Dispatcher`](/docs/docs/api/Dispatcher.md) to use for the connection.
+* **headers** `HeadersInit` (optional) - Custom headers to include in the WebSocket handshake request.
+
 ### Example:
 
 This example will not work in browsers or other platforms that don't allow passing an object.

node_modules/undici/lib/core/errors.js

@@ -379,6 +379,24 @@ class SecureProxyConnectionError extends UndiciError {
   [kSecureProxyConnectionError] = true
 }
 
+const kMessageSizeExceededError = Symbol.for('undici.error.UND_ERR_WS_MESSAGE_SIZE_EXCEEDED')
+class MessageSizeExceededError extends UndiciError {
+  constructor (message) {
+    super(message)
+    this.name = 'MessageSizeExceededError'
+    this.message = message || 'Max decompressed message size exceeded'
+    this.code = 'UND_ERR_WS_MESSAGE_SIZE_EXCEEDED'
+  }
+
+  static [Symbol.hasInstance] (instance) {
+    return instance && instance[kMessageSizeExceededError] === true
+  }
+
+  get [kMessageSizeExceededError] () {
+    return true
+  }
+}
+
 module.exports = {
   AbortError,
   HTTPParserError,
@@ -402,5 +420,6 @@ module.exports = {
   ResponseExceededMaxSizeError,
   RequestRetryError,
   ResponseError,
-  SecureProxyConnectionError
+  SecureProxyConnectionError,
+  MessageSizeExceededError
 }

node_modules/undici/lib/core/request.js

@@ -66,6 +66,10 @@ class Request {
       throw new InvalidArgumentError('upgrade must be a string')
     }
 
+    if (upgrade && !isValidHeaderValue(upgrade)) {
+      throw new InvalidArgumentError('invalid upgrade header')
+    }
+
     if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) {
       throw new InvalidArgumentError('invalid headersTimeout')
     }
@@ -360,13 +364,19 @@ function processHeader (request, key, val) {
     val = `${val}`
   }
 
-  if (request.host === null && headerName === 'host') {
+  if (headerName === 'host') {
+    if (request.host !== null) {
+      throw new InvalidArgumentError('duplicate host header')
+    }
     if (typeof val !== 'string') {
       throw new InvalidArgumentError('invalid host header')
     }
     // Consumed by Client
     request.host = val
-  } else if (request.contentLength === null && headerName === 'content-length') {
+  } else if (headerName === 'content-length') {
+    if (request.contentLength !== null) {
+      throw new InvalidArgumentError('duplicate content-length header')
+    }
     request.contentLength = parseInt(val, 10)
     if (!Number.isFinite(request.contentLength)) {
       throw new InvalidArgumentError('invalid content-length header')

node_modules/undici/lib/web/websocket/permessage-deflate.js

@@ -2,17 +2,30 @@
 
 const { createInflateRaw, Z_DEFAULT_WINDOWBITS } = require('node:zlib')
 const { isValidClientWindowBits } = require('./util')
+const { MessageSizeExceededError } = require('../../core/errors')
 
 const tail = Buffer.from([0x00, 0x00, 0xff, 0xff])
 const kBuffer = Symbol('kBuffer')
 const kLength = Symbol('kLength')
 
+// Default maximum decompressed message size: 4 MB
+const kDefaultMaxDecompressedSize = 4 * 1024 * 1024
+
 class PerMessageDeflate {
   /** @type {import('node:zlib').InflateRaw} */
   #inflate
 
   #options = {}
 
+  /** @type {boolean} */
+  #aborted = false
+
+  /** @type {Function|null} */
+  #currentCallback = null
+
+  /**
+   * @param {Map<string, string>} extensions
+   */
   constructor (extensions) {
     this.#options.serverNoContextTakeover = extensions.has('server_no_context_takeover')
     this.#options.serverMaxWindowBits = extensions.get('server_max_window_bits')
@@ -24,6 +37,11 @@ class PerMessageDeflate {
     //     payload of the message.
     // 2.  Decompress the resulting data using DEFLATE.
 
+    if (this.#aborted) {
+      callback(new MessageSizeExceededError())
+      return
+    }
+
     if (!this.#inflate) {
       let windowBits = Z_DEFAULT_WINDOWBITS
 
@@ -36,13 +54,37 @@ class PerMessageDeflate {
         windowBits = Number.parseInt(this.#options.serverMaxWindowBits)
       }
 
+      try {
         this.#inflate = createInflateRaw({ windowBits })
+      } catch (err) {
+        callback(err)
+        return
+      }
       this.#inflate[kBuffer] = []
       this.#inflate[kLength] = 0
 
       this.#inflate.on('data', (data) => {
-        this.#inflate[kBuffer].push(data)
+        if (this.#aborted) {
+          return
+        }
+
         this.#inflate[kLength] += data.length
+
+        if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) {
+          this.#aborted = true
+          this.#inflate.removeAllListeners()
+          this.#inflate.destroy()
+          this.#inflate = null
+
+          if (this.#currentCallback) {
+            const cb = this.#currentCallback
+            this.#currentCallback = null
+            cb(new MessageSizeExceededError())
+          }
+          return
+        }
+
+        this.#inflate[kBuffer].push(data)
       })
 
       this.#inflate.on('error', (err) => {
@@ -51,16 +93,22 @@ class PerMessageDeflate {
       })
     }
 
+    this.#currentCallback = callback
     this.#inflate.write(chunk)
     if (fin) {
       this.#inflate.write(tail)
     }
 
     this.#inflate.flush(() => {
+      if (this.#aborted || !this.#inflate) {
+        return
+      }
+
       const full = Buffer.concat(this.#inflate[kBuffer], this.#inflate[kLength])
 
       this.#inflate[kBuffer].length = 0
       this.#inflate[kLength] = 0
+      this.#currentCallback = null
 
       callback(null, full)
     })

node_modules/undici/lib/web/websocket/receiver.js

@@ -37,6 +37,10 @@ class ByteParser extends Writable {
   /** @type {Map<string, PerMessageDeflate>} */
   #extensions
 
+  /**
+   * @param {import('./websocket').WebSocket} ws
+   * @param {Map<string, string>|null} extensions
+   */
   constructor (ws, extensions) {
     super()
 
@@ -179,6 +183,7 @@ class ByteParser extends Writable {
 
         const buffer = this.consume(8)
         const upper = buffer.readUInt32BE(0)
+        const lower = buffer.readUInt32BE(4)
 
         // 2^31 is the maximum bytes an arraybuffer can contain
         // on 32-bit systems. Although, on 64-bit systems, this is
@@ -186,14 +191,12 @@ class ByteParser extends Writable {
         // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Invalid_array_length
         // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/common/globals.h;drc=1946212ac0100668f14eb9e2843bdd846e510a1e;bpv=1;bpt=1;l=1275
         // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-array-buffer.h;l=34;drc=1946212ac0100668f14eb9e2843bdd846e510a1e
-        if (upper > 2 ** 31 - 1) {
+        if (upper !== 0 || lower > 2 ** 31 - 1) {
           failWebsocketConnection(this.ws, 'Received payload length > 2^31 bytes.')
           return
         }
 
-        const lower = buffer.readUInt32BE(4)
-
-        this.#info.payloadLength = (upper << 8) + lower
+        this.#info.payloadLength = lower
         this.#state = parserStates.READ_DATA
       } else if (this.#state === parserStates.READ_DATA) {
         if (this.#byteOffset < this.#info.payloadLength) {
@@ -223,7 +226,7 @@ class ByteParser extends Writable {
           } else {
             this.#extensions.get('permessage-deflate').decompress(body, this.#info.fin, (error, data) => {
               if (error) {
-                closeWebSocketConnection(this.ws, 1007, error.message, error.message.length)
+                failWebsocketConnection(this.ws, error.message)
                 return
               }
 

node_modules/undici/lib/web/websocket/util.js

@@ -266,6 +266,12 @@ function parseExtensions (extensions) {
  * @param {string} value
  */
 function isValidClientWindowBits (value) {
+  // Must have at least one character
+  if (value.length === 0) {
+    return false
+  }
+
+  // Check all characters are ASCII digits
   for (let i = 0; i < value.length; i++) {
     const byte = value.charCodeAt(i)
 
@@ -274,7 +280,9 @@ function isValidClientWindowBits (value) {
     }
   }
 
-  return true
+  // Check numeric range: zlib requires windowBits in range 8-15
+  const num = Number.parseInt(value, 10)
+  return num >= 8 && num <= 15
 }
 
 // https://nodejs.org/api/intl.html#detecting-internationalization-support

node_modules/undici/lib/web/websocket/websocket.js

@@ -431,7 +431,7 @@ class WebSocket extends EventTarget {
    * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol
    */
   #onConnectionEstablished (response, parsedExtensions) {
-    // processResponse is called when the "response’s header list has been received and initialized."
+    // processResponse is called when the "response's header list has been received and initialized."
     // once this happens, the connection is open
     this[kResponse] = response
 

node_modules/undici/package.json

@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "6.23.0",
+  "version": "6.24.1",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {
@@ -107,6 +107,7 @@
   "devDependencies": {
     "@fastify/busboy": "2.1.1",
     "@matteo.collina/tspl": "^0.1.1",
+    "@metcoder95/https-pem": "^1.0.0",
     "@sinonjs/fake-timers": "^11.1.0",
     "@types/node": "~18.19.50",
     "abort-controller": "^3.0.0",
@@ -117,7 +118,6 @@
     "fast-check": "^3.17.1",
     "form-data": "^4.0.0",
     "formdata-node": "^6.0.3",
-    "https-pem": "^3.0.0",
     "husky": "^9.0.7",
     "jest": "^29.0.2",
     "jsdom": "^24.0.0",

node_modules/undici/types/errors.d.ts

@@ -146,4 +146,10 @@ declare namespace Errors {
     name: 'SecureProxyConnectionError';
     code: 'UND_ERR_PRX_TLS';
   }
+
+  /** WebSocket decompressed message exceeded maximum size. */
+  export class MessageSizeExceededError extends UndiciError {
+    name: 'MessageSizeExceededError'
+    code: 'UND_ERR_WS_MESSAGE_SIZE_EXCEEDED'
+  }
 }

package-lock.json

@@ -328,9 +328,9 @@
       }
     },
     "node_modules/undici": {
-      "version": "6.23.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
-      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
+      "integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
       "license": "MIT",
       "engines": {
         "node": ">=18.17"