Bump nodemailer from 7.0.10 to 7.0.11

[dependabot]

Bumps nodemailer from 7.0.10 to 7.0.11.

Release notes

Sourced from nodemailer's releases.

v7.0.11

7.0.11 (2025-11-26)

Bug Fixes

• prevent stack overflow DoS in addressparser with deeply nested groups (b61b9c0)

Changelog

Sourced from nodemailer's changelog.

7.0.11 (2025-11-26)

Bug Fixes

• prevent stack overflow DoS in addressparser with deeply nested groups (b61b9c0)

Commits

• 3d17dbe chore(master): release 7.0.11 (#1783)
• 15879f8 Bumped dev dependencies
• b61b9c0 fix: prevent stack overflow DoS in addressparser with deeply nested groups
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Updated internal dependencies to improve stability and compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
pipedream-docs	Ignored			Dec 1, 2025 9:42pm
pipedream-docs-redirect-do-not-edit	Ignored			Dec 1, 2025 9:42pm

[pipedream-component-development]

Thank you so much for submitting this! We've added it to our backlog to review, and our team has been notified.

[pipedream-component-development]

Thanks for submitting this PR! When we review PRs, we follow the Pipedream component guidelines. If you're not familiar, here's a quick checklist:

• Create components to address specific use cases whenever possible
• Component keys should follow the format app_name_slug-slugified-component-name
• Components should follow the standard directory structure
• Prefer Node.js client libraries to REST APIs
• When making API requests, handle pagination to ensure all data / events are processed
• Use secret props to capture sensitive data
• Props and methods should be defined in app files whenever possible
• Document methods with JS Docs
• Use optional props whenever possible, and set a default value where you can
• Use async options to accept user input wherever possible

[coderabbitai]

Walkthrough

Nodemailer dependency upgraded from ^7.0.7 to ^7.0.11 across two package.json files in the gmail and pipedream_utils components. No code changes, API modifications, or control flow alterations.

Changes

Cohort / File(s)	Summary
Dependency Updates components/gmail/package.json, components/pipedream_utils/package.json	Nodemailer version bump from ^7.0.7 to ^7.0.11

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is comprehensive, including release notes, changelog, commits, and Dependabot metadata, but does not follow the repository's template requiring a 'WHY' section.	Add a 'WHY' section to explain the business or technical rationale for this dependency update (e.g., security fix for DoS vulnerability).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: a nodemailer dependency version bump from 7.0.10 to 7.0.11 across multiple components.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/npm_and_yarn/nodemailer-7.0.11

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aca5999 and 8cfb12e.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• components/gmail/package.json (1 hunks)
• components/pipedream_utils/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2024-12-12T19:23:09.039Z

Learnt from: jcortes
Repo: PipedreamHQ/pipedream PR: 14935
File: components/sailpoint/package.json:15-18
Timestamp: 2024-12-12T19:23:09.039Z
Learning: When developing Pipedream components, do not add built-in Node.js modules like `fs` to `package.json` dependencies, as they are native modules provided by the Node.js runtime.

Applied to files:

• components/pipedream_utils/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pnpm publish
• GitHub Check: Verify TypeScript components
• GitHub Check: Publish TypeScript components
• GitHub Check: Lint Code Base

🔇 Additional comments (2)

components/gmail/package.json (1)

23-23: Approve: Security patch to prevent stack overflow DoS in addressparser.

The nodemailer bump from 7.0.10 to 7.0.11 addresses a stack overflow vulnerability in addressparser when processing deeply nested groups. This is a patch release with no breaking changes.

components/pipedream_utils/package.json (1)

23-23: Update justification: nodemailer 7.0.11 includes a bug fix for stack-overflow DoS in address parser, not a security vulnerability patch.

The review comment mischaracterizes the change. Nodemailer 7.0.11 (released 2025-11-26) fixed a bug that could cause stack overflow with deeply nested address groups, but this is not a known security vulnerability. The actual security vulnerability affecting nodemailer (CVE-2025-13033 — email misrouting) was patched in 7.0.7, and 7.0.11 is safe to use. The version bump itself is reasonable; however, the security justification in the review is inaccurate. Additionally, the claim about coordinated updates with a Gmail component could not be verified due to repository access limitations, but the primary factual error remains: this is a stability/bug fix upgrade, not a security patch.

Likely an incorrect or invalid review comment.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}