Skip to content

Update dependency mailparser to v3.9.3 [SECURITY]#78

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-mailparser-vulnerability
Open

Update dependency mailparser to v3.9.3 [SECURITY]#78
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-mailparser-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 4, 2026

This PR contains the following updates:

Package Change Age Confidence
mailparser 3.7.43.9.3 age confidence

GitHub Vulnerability Alerts

CVE-2026-3455

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

Release Notes

nodemailer/mailparser (mailparser)

v3.9.3

Compare Source

Bug Fixes
  • escape URLs and link text in textToHtml to prevent XSS (921a67d), closes #​412

v3.9.2

Compare Source

Bug Fixes

v3.9.1

Compare Source

Bug Fixes

v3.9.0

Compare Source

Features
  • events: Emit a new headerLines event to gain access the raw headers (#​364) (d33d7ec)
Bug Fixes
  • ⬆️ update nodemailer dependency to resolve security issue GHSA-9h6g-pr28-7cqp (#​357) (8bc4225)
  • 150 (919f69a)
  • 272: Throw TypeError for invalid input. (abd7e43)
  • 34, bump version (09aa0bd)
  • bumped deps (9a13f4e)
  • Bumped deps (bb9c014)
  • Bumped deps (9e084f9)
  • Bumped mailsplit to fix flowed parser (da753e4)
  • capture decoder end event to use on cleanup (4e367f7)
  • deploy: added auto-deployment (d6eb56f)
  • deps: Bumped deps (db842ad)
  • deps: Bumped deps to fix issue with missing whitespace (92884d0)
  • deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)
  • deps: Replaced 'punycode' with 'punycode.js' module (4a15157)
  • error on ks_c_5601-1987 (89572e0)
  • Fix produced text address list string according to rfc 2822 (#​340) (6bae600)
  • handle simpleParser input stream error (faf9fc5)
  • punycode: Fixes #​355 Deprecation warning of the punycode module (#​356) (0f35330)
  • simple-parser: Buffer.from(string) default encode is utf-8,when input string‘s encode is gbk,result has some garbled (633e436)
  • test: updated test matrix (18, 20, 21) (a2ba9c2)
  • trigger new build (3cf6241)
  • trigger new build (7f2eb78)

v3.8.1

Compare Source

Bug Fixes

v3.7.5

Compare Source

Bug Fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency mailparser to v3.9.3 [SECURITY] Update dependency mailparser to v3.9.3 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-mailparser-vulnerability branch March 27, 2026 01:52
@renovate renovate bot changed the title Update dependency mailparser to v3.9.3 [SECURITY] - autoclosed Update dependency mailparser to v3.9.3 [SECURITY] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-mailparser-vulnerability branch 2 times, most recently from b5addec to 8301eff Compare March 30, 2026 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants