fix(security): bump nodemailer to 8.0.5 (4 CVEs)

[wyattwalter]

Summary

• Bumps nodemailer from 6.9.9 to 8.0.5 to address all 4 known vulnerabilities:
  • CVE-2025-14874 — CVSS 7.5 High
  • CVE-2025-13033 — CVSS 5.5 Medium
  • GHSA-vvjj-xcjg — CVSS 4.9 Medium
  • GHSA-c7w3-x9 — CVSS 2.3 Low
• Updates @types/nodemailer from ^6.4.17 to ^8.0.0
• Only breaking changes across v7 and v8 are SES SDK removal (we use SMTP) and an error code rename (we don't check error codes) — no impact on our usage

Test plan

• CI passes (build, lint, type-check, unit tests)
• Verify nodemailer 8.0.5 is present in the EE image after sync
• Smoke-test backup failure email on EE deploy preview

🤖 Generated with Claude Code

Warning

Tests have not run on the HEAD f6a3d3f yet

---

Thu, 14 May 2026 14:06:27 UTC

Summary by CodeRabbit

• Chores
  • Updated the email-sending library and its TypeScript type definitions to a newer major release, improving email reliability, compatibility, and security across the app.

[coderabbitai]

Walkthrough

Bumps nodemailer from 6.9.9 → 8.0.5 and @types/nodemailer from ^6.4.17 → ^8.0.0 in app/client/packages/rts/package.json. No other metadata or scripts changed.

Changes

Dependency Version Alignment

Layer / File(s)	Summary
Nodemailer version upgrade app/client/packages/rts/package.json	nodemailer bumped 6.9.9 → 8.0.5; @types/nodemailer bumped ^6.4.17 → ^8.0.0 in dependencies and devDependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

📬 Nodemailer climbs to eight with cheer,
Types updated, typings clear;
A tiny change, dependencies aligned,
Build the mail, nothing unkind—
Silent upgrade, shipping near.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description provides clear summary of vulnerability fixes and version bumps, with thorough test plan and breaking change assessment, but lacks issue references and communication checkbox required by template.	Add 'Fixes #' or 'Fixes URL' referencing the CVE/security issue, and specify DevRel/Marketing communication status with the provided checkbox.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main security fix: bumping nodemailer to address multiple CVEs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cve-2025-14874-nodemailer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wyattwalter]

/build-deploy-preview skip-tests=true

[github-actions]

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/25840349542.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 41809.
recreate: .
base-image-tag: .

[github-actions]

Deploy-Preview-URL: https://ce-41809.dp.appsmith.com

[coderabbitai]

🧹 Nitpick comments (1)

app/client/packages/rts/package.json (1)

42-42: ⚡ Quick win

Consider tightening @types/nodemailer version range.

The runtime nodemailer is pinned to 8.0.5 while @types/nodemailer uses ^8.0.0, which allows minor updates (e.g., 8.1.x, 8.2.x). This could lead to type/runtime mismatches if the types package introduces definitions for APIs not present in 8.0.5.

🔧 Suggested alignment

-    "@types/nodemailer": "^8.0.0",
+    "@types/nodemailer": "~8.0.0",

Or pin exactly to match the runtime version if available:

-    "@types/nodemailer": "^8.0.0",
+    "@types/nodemailer": "8.0.5",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/client/packages/rts/package.json` at line 42, The `@types/nodemailer` dev
dependency is too loose ("@types/nodemailer": "^8.0.0") compared to the runtime
nodemailer pinned at 8.0.5; update the package.json dependency entry for
"@types/nodemailer" to align with the runtime (e.g., pin to "8.0.5" or at least
"^8.0.5") and reinstall dependencies so the types package cannot introduce
mismatched minor versions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@app/client/packages/rts/package.json`:
- Line 42: The `@types/nodemailer` dev dependency is too loose
("@types/nodemailer": "^8.0.0") compared to the runtime nodemailer pinned at
8.0.5; update the package.json dependency entry for "@types/nodemailer" to align
with the runtime (e.g., pin to "8.0.5" or at least "^8.0.5") and reinstall
dependencies so the types package cannot introduce mismatched minor versions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cacff291-afae-43ce-82ac-459a40f30b74

📥 Commits

Reviewing files that changed from the base of the PR and between 71093bc and f6a3d3f.

⛔ Files ignored due to path filters (1)

• app/client/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• app/client/packages/rts/package.json