chore(deps): bump nodemailer lib

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Bumping Nodemailer to solve a couple of CVEs

Issue(s)

VLN-172

Steps to test or reproduce

N/A

Further comments

N/A

Summary by CodeRabbit

• Chores
  • Updated email service dependency to the latest stable version.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: cc0a946

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Updated nodemailer dependency from ^6.9.16 to ^7.0.7 in apps/meteor/package.json to address a security vulnerability where email parsing incorrectly handles quoted local-parts containing @ symbols, potentially misrouting recipients.

Changes

Cohort / File(s)	Change Summary
Dependency Update apps/meteor/package.json	Upgrade nodemailer from ^6.9.16 to ^7.0.7 to fix email address parsing vulnerability (GHSA-mm7p-fcc7-pg87)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Verify the version bump is intentional and matches the security patch release
• Confirm no breaking changes in nodemailer 7.0.7 by reviewing release notes if available
• Ensure lock file is updated accordingly (if applicable)

Poem

🐰 A nodemailer update hops into view,
Security patched, version fresh and new,
Quoted addresses no longer astray,
Emails now find their rightful way! 📬✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the nodemailer dependency to a new version.
Linked Issues check	✅ Passed	The PR updates nodemailer from ^6.9.16 to ^7.0.7, which directly addresses the CVE vulnerability (GHSA-mm7p-fcc7-pg87) documented in VLN-172 regarding email address parsing.
Out of Scope Changes check	✅ Passed	The PR contains only a targeted dependency bump to nodemailer, directly related to addressing the security vulnerability in VLN-172 with no extraneous changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bump-nodemailer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a2b2e26 and d1f82fa.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• apps/meteor/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (1)

apps/meteor/package.json (1)

255-255: No actionable issues identified with the nodemailer 7.0.7 upgrade.

The codebase imports type definitions directly from nodemailer itself (import type Mail from 'nodemailer/lib/mailer'), not from the @types/nodemailer package. Since nodemailer 6.7+ includes built-in TypeScript definitions, the @types/nodemailer version (6.4.21) is not used by the codebase and poses no compatibility issues. There are no TypeScript compilation errors in the EmailInbox files that use nodemailer.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for nodemailer imports and usage in the codebase
echo "=== Nodemailer imports and requires ==="
rg "from\s+['\"]nodemailer|require\s*\(\s*['\"]nodemailer" --type ts --type js --type tsx --type jsx -n

echo -e "\n=== Searching for createTransport and nodemailer API calls ==="
rg "createTransport|transporter\.|nodemailer\." --type ts --type js --type tsx --type jsx -n -B 2 -A 2

echo -e "\n=== Check package.json for @types/nodemailer ==="
grep -n "@types/nodemailer" apps/meteor/package.json

Repository: RocketChat/Rocket.Chat

Length of output: 330

---

🌐 Web query:

nodemailer 6.x to 7.x breaking changes migration guide

💡 Result:

Summary — main breaking change

• Nodemailer 7.x removed legacy SES support and requires the AWS SESv2 SDK (@aws-sdk/client-sesv2); older SES v2/v3 integrations plus Nodemailer’s SES rate‑limiting/idling features were removed. [1][2]

Migration checklist (6.x → 7.x)

1. Update package:
   • npm install nodemailer@^7 @aws-sdk/client-sesv2. [1][2]
2. Replace legacy SES transport usage with SESv2 client pattern:
   • Before (example with older SDK): createTransport({ SES: awsSdkOrOptions… })
   • Now: const { SESv2Client, SendEmailCommand } = require('@aws-sdk/client-sesv2'); const sesClient = new SESv2Client({ region }); transporter = nodemailer.createTransport({ SES: { sesClient, SendEmailCommand } }); then transporter.sendMail(..., optional ses: { /* SendEmailCommand params */ }). See SES transport docs for exact API. [2]
3. Remove or rework any code relying on Nodemailer’s SES rate‑limiting/idling features or on automatic SES SDK behavior — those features were removed; if you implemented custom queuing/throttling, keep it or use an external queue/rate limiter. [1]
4. Check message-level SES options: sendMail’s ses object is merged into SendEmailCommand input — validate any keys you passed previously (EmailTags, ConfigurationSetName, etc.) still map to SESv2 parameters. [2]
5. Test error handling and IAM permissions: SESv2 uses SendEmailCommand; ensure IAM policies include the appropriate actions (ses:SendEmail / ses:SendRawEmail as applicable). [2]
6. If you see “Using legacy SES configuration, expecting @aws-sdk/client-sesv2” errors after upgrading, update your transport to the new SESv2 pattern (example of this failure in real projects). [3]

Quick code example (minimal)

• Install: npm i nodemailer @aws-sdk/client-sesv2
• Usage:
  const nodemailer = require('nodemailer');
  const { SESv2Client, SendEmailCommand } = require('@aws-sdk/client-sesv2');
  const sesClient = new SESv2Client({ region: 'us-east-1' });
  const transporter = nodemailer.createTransport({ SES: { sesClient, SendEmailCommand } });
  await transporter.sendMail({ from:'a@x.com', to:'b@y.com', subject:'hi', text:'…' });

Sources

• Nodemailer 7.0.0 changelog / breaking changes (SESv2 requirement, removal of older SES SDK support and rate‑limiting/idling). [1]
• Nodemailer SES transport docs (SESv2 usage examples, API details, sendMail ses options). [2]
• Example issue showing error when using legacy SES config after upgrading. [3]

Would you like a patch diff example transforming your exact 6.x SES code to 7.x?

---

🌐 Web query:

nodemailer 7.0.0 release notes changelog

💡 Result:

Summary of Nodemailer 7.0.0 release (published 2025-05-03)

• Version: 7.0.0 (2025-05-03).
• Breaking changes: SESv2 SDK support; removed older SES SDK v2 and v3; removed SES rate-limiting and idling features (see SES transport docs for updated usage). [1][2]
• Main feature: SESv2 SDK support (replacement of older SES integrations). [1][2]

Sources:
[1] Nodemailer releases (GitHub) — release v7.0.0.
[2] Nodemailer changelog (package listing / yarnpkg).

---

🌐 Web query:

@types/nodemailer 7.x compatibility with nodemailer 7.0.7

💡 Result:

Yes — @types/nodemailer 7.x targets Nodemailer v7 and is compatible with nodemailer 7.0.7. See the Nodemailer package (v7.x) and the @types/nodemailer v7.x typings on npm. [1][2]

Sources:
[1] nodemailer npm package (v7.x).
[2] @types/nodemailer npm package (v7.x typings).

---

🏁 Script executed:

#!/bin/bash
# Check if @types/nodemailer has a 7.x version available
echo "=== Searching npm registry for @types/nodemailer versions ==="
# Try to find version info by checking package metadata
rg "@types/nodemailer" apps/meteor/package.json -A 1 -B 1

Repository: RocketChat/Rocket.Chat

Length of output: 229

---

Update @types/nodemailer to v7.x to match the nodemailer upgrade.

The upgrade to nodemailer ^7.0.7 requires @types/nodemailer to be updated from ~6.4.21 to a compatible 7.x version. The current type definitions are incompatible with the major version bump and will cause TypeScript compilation failures. Update @types/nodemailer to ~7.x or higher.

🤖 Prompt for AI Agents

In apps/meteor/package.json around line 255, the project upgraded nodemailer to
^7.0.7 but left @types/nodemailer at the v6 series; update the devDependency to
a v7-compatible version (e.g., ~7.x) so TypeScript types match the new major
nodemailer API, then run install and TypeScript build to verify no type errors.

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	360MiB	349MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	+480B
queue-worker-service	132MiB	132MiB	-5B
ddp-streamer-service	126MiB	126MiB	+906B
account-service	113MiB	113MiB	-923B
stream-hub-service	111MiB	111MiB	+25B
authorization-service	111MiB	111MiB	+567B
presence-service	111MiB	111MiB	-592B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 13:34", "12/09 14:14 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 16 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37743
• Baseline: develop
• Timestamp: 2025-12-09 14:14:48 UTC
• Historical data points: 16

---

Updated: Tue, 09 Dec 2025 14:14:48 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.72%. Comparing base (3837d20) to head (cc0a946).
⚠️ Report is 78 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #37743      +/-   ##
===========================================
- Coverage    67.80%   67.72%   -0.08%     
===========================================
  Files         3448     3448              
  Lines       113918   113918              
  Branches     20915    20915              
===========================================
- Hits         77239    77156      -83     
- Misses       34548    34643      +95     
+ Partials      2131     2119      -12     

Flag	Coverage Δ
e2e	57.36% <ø> (+0.02%)	⬆️
e2e-api	42.15% <ø> (-0.95%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.