Skip to content

fix: security issue from nodemailer #13305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 26, 2025
Merged

fix: security issue from nodemailer #13305

merged 1 commit into from
Oct 26, 2025
+38 −11

Conversation

@himself65
Copy link
Member

@himself65 himself65 commented Oct 26, 2025

☕️ Reasoning

🧢 Checklist

  • Documentation
  • Tests
  • Ready to be merged

🎫 Affected issues

📌 Resources

@vercel
Copy link

vercel bot commented Oct 26, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
auth-docs Ready Ready Preview Comment Oct 26, 2025 1:19am
2 Skipped Deployments
Project Deployment Preview Comments Updated (UTC)
next-auth-docs Ignored Ignored Oct 26, 2025 1:19am
proxy Ignored Ignored Oct 26, 2025 1:19am

@socket-security
Copy link

socket-security bot commented Oct 26, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​builder.io/​qwik-city@​1.13.0 ⏵ 1.5.598 +325 -757994100
Added@​graphql-typed-document-node/​core@​3.2.01001005882100
Addedclass-variance-authority@​0.7.11001006879100
Added@​balazsorban/​monorepo-release@​0.5.1731006976100
Added@​radix-ui/​react-slot@​1.2.31001006991100
Added@​radix-ui/​react-avatar@​1.1.10991006992100
Added@​radix-ui/​react-collapsible@​1.1.12991007096100
Added@​graphql-codegen/​client-preset@​4.1.0991007099100
Added@​radix-ui/​react-dropdown-menu@​2.1.16991007196100
Added@​radix-ui/​react-navigation-menu@​1.2.14991007396100
Added@​radix-ui/​react-accordion@​1.2.1991007492100
Added@​inkeep/​widgets@​0.2.28981100748580
Added@​types/​react-dom@​18.3.71001007694100
Added@​graphql-codegen/​cli@​5.0.0961007795100
Added@​auth/​unstorage-adapter@​2.11.0771007989100
Added@​miniflare/​d1@​2.14.21001007977100
Addedtailwindcss-animate@​1.0.710010010077100
Addedclsx@​2.1.11001009678100
Addednext-auth@​5.0.0-beta.29991007885100
Updated@​builder.io/​qwik@​1.13.0 ⏵ 1.7.399 +11007993 +1100
Added@​types/​react@​18.3.261001007995100
Added@​next/​third-parties@​14.2.151001008299100
Added@​prisma/​client@​6.0.0931008297100
Added@​vercel/​kv@​1.0.19810010082100
Addednext@​16.0.083100919870
Updatedpostcss@​8.5.3 ⏵ 8.5.6100 +110082 +183100
Added@​docsearch/​react@​3.8.31001008396100
Added@​actions/​core@​1.10.19910010084100
Addedreact@​18.3.11001008597100
Addedtailwind-merge@​1.14.01001008596100
Addedtailwindcss@​3.4.18981008798100
Updated@​eslint/​js@​8.57.1 ⏵ 9.9.110010087 +196 +2100
Added@​preact/​preset-vite@​2.8.19910010087100
See 16 more rows in the dashboard

View full report

@socket-security
Copy link

socket-security bot commented Oct 26, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
@builder.io/[email protected] has a Critical CVE.

CVE: GHSA-qr9h-j6xg-2j72 Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests (CRITICAL)

Affected versions: < 1.13.0

Patched version: 1.13.0

From: apps/dev/qwik/package.jsonnpm/@builder.io/[email protected]

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@builder.io/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@himself65 himself65 enabled auto-merge October 26, 2025 01:28
@codecov
Copy link

codecov bot commented Oct 26, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 72.72727% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 39.18%. Comparing base (240e343) to head (f7998c9).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
packages/core/src/lib/actions/signin/send-token.ts 72.72% 6 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #13305      +/-   ##
==========================================
+ Coverage   39.16%   39.18%   +0.02%     
==========================================
  Files         200      200              
  Lines       32331    32352      +21     
  Branches     1401     1404       +3     
==========================================
+ Hits        12662    12677      +15     
- Misses      19669    19675       +6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@himself65 himself65 added this pull request to the merge queue Oct 26, 2025
Merged via the queue into main with commit 8f3b2c7 Oct 26, 2025
14 of 15 checks passed
@himself65 himself65 deleted the himself65/2025/10/25/security-issue branch October 26, 2025 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThangHuuVu ThangHuuVu Awaiting requested review from ThangHuuVu ThangHuuVu is a code owner

@balazsorban44 balazsorban44 Awaiting requested review from balazsorban44 balazsorban44 is a code owner

Assignees

No one assigned

Labels

core Refers to `@auth/core` frameworks next-auth svelte

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@himself65