Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace nodemailer-smtp-transport with nodemailer #494

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Replace nodemailer-smtp-transport with nodemailer #494

wants to merge 6 commits into from

Conversation

robertdeniszczyc2
Copy link
Contributor

@robertdeniszczyc2 robertdeniszczyc2 commented Jan 14, 2025
edited
Loading

Resolves nested dep vuln GHSA-cf4h-3jhx-xvhq

What?

Replaces nodemailer-smtp-transport dep with nodemailer

Why?

If you consume HOF in a project building with npm, there is a nested dependency vulnerability flagged which is ranked "Critical". The vulnerability is:

Arbitrary Code Execution in underscore - GHSA-cf4h-3jhx-xvhq

The issue is in the version of underscore which is nested within the nodemailer-smtp-transport dependency

How?

Replaces nodemailer-smtp-transport dep with nodemailer

Testing?

yarn test has been run locally, but will require testing for regressions on a real HOF project to check that emails work OK

Screenshots (optional)

N/A

Anything Else? (optional)

See linked issue for more information

Check list

  • I have reviewed my own pull request for linting issues (e.g. adding new lines)
  • I have written tests (if relevant)
  • I have created a JIRA number for my branch
  • I have created a JIRA number for my commit
  • I have followed the chris beams method for my commit https://cbea.ms/git-commit/
    here is an example commit
  • Ensure workflow jobs are passing especially tests
  • I will squash the commits before merging

@robertdeniszczyc2 robertdeniszczyc2 linked an issue Jan 14, 2025 that may be closed by this pull request
Dependency nodemailer-smtp-transport is redundant and introduces flagged critical vulnerability #489
Open
@robertdeniszczyc2 robertdeniszczyc2 changed the title Replace nodemailer-smtp-transport with nodemailer. Replace nodemailer-smtp-transport with nodemailer Jan 14, 2025
@sulthan-ahmed
Copy link
Contributor

Looks good, I will just publish and test it with brp

@sulthan-ahmed
Copy link
Contributor

Hi @robertdeniszczyc2 here is a beta package 22.0.3-nodemailer-dependency-beta
thanks to @Rhodine-orleans-lindsay for this. I'll pull in and test BRP which is the only app that seems to use nodemailer

@sulthan-ahmed
Copy link
Contributor

Hi @robertdeniszczyc2 unfortunately, I'm seeing an error on the brp form, here is the PR
UKHomeOffice/brp_enquiry_forms#801

Here is the stack trace
k -n brp-branch logs biometric-residence-permit-node-mailer-update-777cc9974-wc22d biometric-residence-permit

{"level":"info","message":"Sending mail via smtp transport"}
node:internal/modules/cjs/loader:1228
  throw err;
  ^

Error: Cannot find module 'nodemailer-smtp-transport'
Require stack:
- /app/services/email/index.js
- /app/apps/common/models/email.js
- /app/apps/common/behaviours/email.js
- /app/apps/collection/index.js
- /app/server.js
    at Module._resolveFilename (node:internal/modules/cjs/loader:1225:15)
    at Module._load (node:internal/modules/cjs/loader:1051:27)
    at Module.require (node:internal/modules/cjs/loader:1311:19)
    at require (node:internal/modules/helpers:179:18)
    at new Emailer (/app/services/email/index.js:116:49)
    at Object.<anonymous> (/app/services/email/index.js:198:18)
    at Module._compile (node:internal/modules/cjs/loader:1469:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1548:10)
    at Module.load (node:internal/modules/cjs/loader:1288:32)
    at Module._load (node:internal/modules/cjs/loader:1104:12)
    at Module.require (node:internal/modules/cjs/loader:1311:19)
    at require (node:internal/modules/helpers:179:18)
    at Object.<anonymous> (/app/apps/common/models/email.js:3:22)
    at Module._compile (node:internal/modules/cjs/loader:1469:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1548:10)
    at Module.load (node:internal/modules/cjs/loader:1288:32) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/app/services/email/index.js',
    '/app/apps/common/models/email.js',
    '/app/apps/common/behaviours/email.js',
    '/app/apps/collection/index.js',
    '/app/server.js'
  ]
}

Node.js v20.17.0

I'll look into it and see if I can identify the issue

@robertdeniszczyc2
Copy link
Contributor Author

Hi @sulthan-ahmed ,

I've put a comment on the BRP PR with a possible fix and reason why it's failing: UKHomeOffice/brp_enquiry_forms#801 (comment)

Thanks,
Rob

@sulthan-ahmed
Copy link
Contributor

Hi @robertdeniszczyc2 thanks again for your efforts. As discussed this broke brp but we were able to fix it with a simple change. I've put the PR here for reference UKHomeOffice/brp_enquiry_forms#801

This was the original code

function Emailer() {
  this.transporter = nodemailer.createTransport(require('nodemailer-' + transportType + '-transport')(emailOptions));

which was fixed with

this.transporter = nodemailer.createTransport(emailOptions);

This is a breaking change so we will need to amend the ChangeLog. Once that's done, I'll can publish the change. Do you want to amend it in your PR or shall I do it for you?

robertdeniszczyc2 and others added 5 commits January 24, 2025 13:56
@robertdeniszczyc2 @sulthan-ahmed
Replace nodemailer-smtp-transport with nodemailer.
b7d4828 
Resolves nested dep vuln GHSA-cf4h-3jhx-xvhq
@sulthan-ahmed
Remove redundant nodemailer-smtp-transport
92e5216 
- Removed the nodemailer-smtp-transport dependency
as it is redundant and introduces a flagged
critical vulnerability.
- Updated CHANGELOG.md to reflect the changes.
@sulthan-ahmed
Merge branch '489-dependency-nodemailer-smtp-transport-is-redundant-a…
de3bf29 
…nd-introduces-flagged-critical-vulnerability' of github.com:UKHomeOfficeForms/hof into 489-dependency-nodemailer-smtp-transport-is-redundant-and-introduces-flagged-critical-vulnerability
@sulthan-ahmed
Merge branch '489-dependency-nodemailer-smtp-transport-is-redundant-a…
aa1aa0b 
…nd-introduces-flagged-critical-vulnerability' of github.com:UKHomeOfficeForms/hof into 489-dependency-nodemailer-smtp-transport-is-redundant-and-introduces-flagged-critical-vulnerability
@sulthan-ahmed
Merge branch '489-dependency-nodemailer-smtp-transport-is-redundant-a…
be1932c 
…nd-introduces-flagged-critical-vulnerability' of github.com:UKHomeOfficeForms/hof into 489-dependency-nodemailer-smtp-transport-is-redundant-and-introduces-flagged-critical-vulnerability
@sulthan-ahmed sulthan-ahmed mentioned this pull request Jan 24, 2025
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sulthan-ahmed sulthan-ahmed sulthan-ahmed approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dependency nodemailer-smtp-transport is redundant and introduces flagged critical vulnerability
2 participants
@robertdeniszczyc2 @sulthan-ahmed