From 4c842959fa110e43896daa239c3645b5e3df4dd6 Mon Sep 17 00:00:00 2001
From: David <33458145+davidmcpowell@users.noreply.github.com>
Date: Mon, 13 Oct 2025 11:06:17 +0100
Subject: [PATCH] Merge pull request #28900 from
 overleaf/renovate-npm-nodemailer-vulnerability

[Core] Update dependency nodemailer to v7 from ^6.7.0 [SECURITY]

GitOrigin-RevId: aad91a856904c3885d687f2dbfbf52872907aa6f
---
 package-lock.json         | 21 +++++++++++++++++----
 services/web/package.json |  2 +-
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 30e42d79d5..6e93dc6b0e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -37900,9 +37900,13 @@
       "license": "MIT"
     },
     "node_modules/nodemailer": {
-      "version": "6.9.9",
-      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.9.tgz",
-      "integrity": "sha512-dexTll8zqQoVJEZPwQAKzxxtFn0qTnjdQTchoU6Re9BUUGBJiOy3YMn/0ShTW6J5M0dfQ1NeDeRTTl4oIWgQMA==",
+      "version": "6.10.1",
+      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.1.tgz",
+      "integrity": "sha512-Z+iLaBGVaSjbIzQ4pX6XV41HrooLsQ10ZWPUehGmuantvzWoDVBnmsdUcOIDM1t+yPor5pDhVlDESgOMEGxhHA==",
+      "dev": true,
+      "license": "MIT-0",
+      "optional": true,
+      "peer": true,
       "engines": {
         "node": ">=6.0.0"
       }
@@ -52705,7 +52709,7 @@
         "multer": "2.0.2",
         "nocache": "^2.1.0",
         "node-fetch": "^2.7.0",
-        "nodemailer": "^6.7.0",
+        "nodemailer": "^7.0.0",
         "on-headers": "^1.0.2",
         "otplib": "^12.0.1",
         "overleaf-editor-core": "*",
@@ -53802,6 +53806,15 @@
         "node": ">= 10.13"
       }
     },
+    "services/web/node_modules/nodemailer": {
+      "version": "7.0.9",
+      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.9.tgz",
+      "integrity": "sha512-9/Qm0qXIByEP8lEV2qOqcAW7bRpL8CR9jcTwk3NBnHJNmP9fIJ86g2fgmIXqHY+nj55ZEMwWqYAT2QTDpRUYiQ==",
+      "license": "MIT-0",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
     "services/web/node_modules/p-limit": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
diff --git a/services/web/package.json b/services/web/package.json
index e64ed6204e..129435c96b 100644
--- a/services/web/package.json
+++ b/services/web/package.json
@@ -156,7 +156,7 @@
     "multer": "2.0.2",
     "nocache": "^2.1.0",
     "node-fetch": "^2.7.0",
-    "nodemailer": "^6.7.0",
+    "nodemailer": "^7.0.0",
     "on-headers": "^1.0.2",
     "otplib": "^12.0.1",
     "overleaf-editor-core": "*",