489 nodemailer smtp transport critical vulnerability fix v2

CHANGELOG.md

@@ -1,3 +1,9 @@
+## 2025-01-24, Version 22.1.0 (Stable), @sulthan-ahmed
+* ⛓️‍💥 **BREAKING CHANGE** : removed `nodemailer-smtp-transport` replaced with `nodemailer`. 
+  - The nodemailer-smtp-transport package has been removed due to a critical vulnerability, and its functionality has been consolidated under nodemailer.
+  - 👊 Impact : Any functions or configurations relying on nodemailer-smtp-transport must be updated to use nodemailer.
+  - 🎬 Action: Rewrite code to utilize nodemailer as the replacement, ensuring compatibility and security.
+
 ## 2025-01-17, Version 22.0.0 (Stable), @Rhodine-orleans-lindsay
 * Adds session timeout warning
   - user can stay on page or exit form
@@ -6,31 +12,31 @@
   - adds default save-and-exit html
   - updates confirmation html to a static page
   - allows for customisation of session timeout warning dialog content, exit and save-and-exit page content, and exit and save-and-exit steps
-  - Potential **_breaking change_**: Static pages should use the ```{{<layout}}...{{/layout}}``` tags instead of the ```{{<partials-page}}...{{/partials-page}}``` tags if the timeout warning should not be displayed.
+  - Potential **_breaking change_**: Static pages should use the `{{<layout}}...{{/layout}}` tags instead of the `{{<partials-page}}...{{/partials-page}}` tags if the timeout warning should not be displayed.
 * Fixes accessibility issues
 * Sandbox area for testing hof changes
 * Updates patch and minor dependency versions
 
 ## 2024-07-22, Version 21.0.0 (Stable), @Rhodine-orleans-lindsay
 * Replaces deprecated request module with axios
   - refactors the hof model and apis to use axios instead of request
-*  Updates patch and minor dependency versions
+* Updates patch and minor dependency versions
 
 ## 2024-04-24, Version 20.5.0 (Stable), @mislam987
 * Add hint property to checkboxes to align with govuk design guidelines
 
 ## 2024-02-29, Version 20.4.0 (Stable), @sulthan-ahmed
 * Update version of govuk-frontend to 3.15
-- this adds the new crown for the King
-- this supports a lot of changes from the govuk design system
+  - this adds the new crown for the King
+  - this supports a lot of changes from the govuk design system
 * Adds support for Google tag manager
 * Fixes accessibility issues
 * Sandbox area for testing hof changes
 * Updates patch and minor versions including
-- libphonenumber to 1.9.44
-- nodemailer to 6.9.9
-- ip to 1.1.9
-- es5-ext to 0.10.63
+  - libphonenumber to 1.9.44
+  - nodemailer to 6.9.9
+  - ip to 1.1.9
+  - es5-ext to 0.10.63
 
 ## 2020-06-02, Version 16.0.0 (Stable), @andymoody
 * Update version of helmet to 3.22.0

README.md

@@ -1205,7 +1205,7 @@ The following transport options are available:
 
 #### `smtp`
 
-[nodemailer-smtp-transport](https://github.com/andris9/nodemailer-smtp-transport)
+[nodemailer](https://github.com/nodemailer/nodemailer)
 
 ##### Options
 

components/emailer/transports/smtp.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const smtp = require('nodemailer-smtp-transport');
+const smtp = require('nodemailer');
 
 module.exports = options => {
   if (!options.host) {

package.json

@@ -1,7 +1,7 @@
 {
   "name": "hof",
   "description": "A bootstrap for HOF projects",
-  "version": "22.0.1",
+  "version": "22.1.0",
   "license": "MIT",
   "main": "index.js",
   "author": "HomeOffice",
@@ -79,7 +79,6 @@
     "mustache": "^4.2.0",
     "nodemailer": "^6.6.3",
     "nodemailer-ses-transport": "^1.5.1",
-    "nodemailer-smtp-transport": "^2.7.4",
     "nodemailer-stub-transport": "^1.1.0",
     "notifications-node-client": "^8.2.0",
     "redis": "^3.1.2",

test/components/emailer/transports/smtp.spec.js

@@ -10,7 +10,7 @@ describe('transports/smtp', () => {
     nodemailerSmtpTransport = sinon.stub();
 
     smtpTransport = proxyquire('../../../../components/emailer/transports/smtp', {
-      'nodemailer-smtp-transport': nodemailerSmtpTransport
+      nodemailer: nodemailerSmtpTransport
     });
   });