actions/send-mail
1
0
Fork 0
mirror of https://github.com/dawidd6/action-send-mail.git synced 2026-06-18 15:40:52 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
1369c5b90d1bb51b1095261e8184c7f58b4a8ea1
send-mail/node_modules/nodemailer/SECURITY.md
T
Dawid Dziurla 1369c5b90d node_modules: update (#297) 
Co-authored-by: dawidd6 <9713907+dawidd6@users.noreply.github.com>
2026-06-15 07:32:52 +02:00

2.7 KiB
Raw Blame History

Security Policy

Nodemailer is a widely deployed, zero-dependency e-mail library. We take security reports seriously and aim to respond quickly.

Supported Versions

Security fixes are released only against the latest major version. We do not backport patches to older majors — upgrading to the current release line is the supported way to receive security updates.

Version Supported
8.x
< 8.0

If you are on an older major, please upgrade. See the migration notes at https://nodemailer.com/ before updating.

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.

Report privately through one of the following channels:

  1. GitHub Security Advisories (preferred). Open a private report at https://github.com/nodemailer/nodemailer/security/advisories/new. This keeps the discussion private until a fix is published and lets us credit you.
  2. Email. Send details to andris@reinman.eu (the contact listed in SECURITY.txt). Encrypt sensitive details if possible.

When reporting, please include as much of the following as you can:

  • The affected version(s) and environment (Node.js version, OS).
  • The component involved (e.g. SMTP connection, address parsing, MIME/header generation, DKIM).
  • A clear description of the issue and its impact (e.g. header/SMTP command injection, information disclosure, DoS).
  • A minimal proof of concept or reproduction steps.
  • Any suggested remediation, if you have one.

Nodemailer is maintained by a single person, so there is no guaranteed response time — sometimes reports are handled within hours, sometimes they take longer. Accepted issues are fixed in a new release and coordinated through a GitHub Security Advisory, and reporters who wish to be named are credited.

CVEs

We track and disclose vulnerabilities through GitHub Security Advisories. We do not request or manage CVE identifiers ourselves. If you need a CVE assigned for a reported issue, please request one yourself — for example, through GitHub's own CVE request flow on the published advisory, or another CNA.

Scope

In scope: the nodemailer package source in this repository — message and MIME generation, SMTP/LMTP client behaviour, address parsing, header handling, DKIM signing, and the bundled transports.

Out of scope: vulnerabilities in your own application code, misconfiguration of your mail server or credentials, social-engineering reports, and issues in third-party services Nodemailer connects to.

Thank you for helping keep Nodemailer and its users safe.

Reference in New Issue View Git Blame Copy Permalink