chore: bump up nodemailer version to v6.9.9 [SECURITY] (#5780)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [nodemailer](https://nodemailer.com/) ([source](https://togithub.com/nodemailer/nodemailer)) | [`6.9.7` -> `6.9.9`](https://renovatebot.com/diffs/npm/nodemailer/6.9.7/6.9.9) | [![age](https://developer.mend.io/api/mc/badges/age/npm/nodemailer/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/nodemailer/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/nodemailer/6.9.7/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/nodemailer/6.9.7/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [GHSA-9h6g-pr28-7cqp](https://togithub.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp)

### Summary
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop.
Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.

### Details

Regex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/

Path: compile -> getAttachments -> _processDataUrl

Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/

Path: _convertDataImages

### PoC

https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698

### Impact

ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.

---

### Release Notes

<details>
<summary>nodemailer/nodemailer (nodemailer)</summary>

### [`v6.9.9`](https://togithub.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#699-2024-02-01)

[Compare Source](https://togithub.com/nodemailer/nodemailer/compare/v6.9.8...v6.9.9)

##### Bug Fixes

-   **security:** Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected ([dd8f5e8](dd8f5e8a4d))
-   **tests:** Use native node test runner, added code coverage support, removed grunt ([#&#8203;1604](https://togithub.com/nodemailer/nodemailer/issues/1604)) ([be45c1b](be45c1b299))

### [`v6.9.8`](https://togithub.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#698-2023-12-30)

[Compare Source](https://togithub.com/nodemailer/nodemailer/compare/v6.9.7...v6.9.8)

##### Bug Fixes

-   **punycode:** do not use native punycode module ([b4d0e0c](b4d0e0c7cc))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5In0=-->
This commit is contained in:
LongYinan 2024-02-02 05:53:44 +00:00
parent d23f8f8087
commit 67ab814108
No known key found for this signature in database
GPG Key ID: 30B1140CE1C07C99

View File

@ -27969,9 +27969,9 @@ __metadata:
linkType: hard
"nodemailer@npm:^6.9.7":
version: 6.9.7
resolution: "nodemailer@npm:6.9.7"
checksum: 10/32b6e6c3f5e0ab6c5fa796934fee397e8b520f6d782fc41d8bd5aaf72a2e757564b8e7e7f7aa02fcf0ba73a83d364bdb923c2dbb76a32ac87a5c628d1bde03df
version: 6.9.9
resolution: "nodemailer@npm:6.9.9"
checksum: 10/d81f8613c35785aeb60dd0e3ead2c2c0171c709381fde17ada112f5ac635630814ad09492dacaf0fd30158492ed834abb82d9c58b49e9b495e5c675fbc5fffef
languageName: node
linkType: hard