From 2bedbee08d10f35abe0cef60013fbd758a2f7a9f Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 15 Apr 2026 21:00:43 +0200
Subject: [PATCH] Upgrade nodemailer to latest major for audit compliance.

This removes the remaining SMTP command injection advisories by moving to nodemailer 8.0.5 and refreshing the lockfile accordingly.

Made-with: Cursor
---
 package-lock.json |  8 ++++----
 package.json      | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 40813f0..b0c0fe2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -17,7 +17,7 @@
         "dompurify": "^3.3.1",
         "jsonwebtoken": "^9.0.2",
         "multer": "^2.0.2",
-        "nodemailer": "^7.0.9",
+        "nodemailer": "^8.0.5",
         "nuxt": "^4.1.3",
         "pdf-lib": "^1.17.1",
         "pdf-parse": "^2.4.5",
@@ -10493,9 +10493,9 @@
       "license": "MIT"
     },
     "node_modules/nodemailer": {
-      "version": "7.0.13",
-      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.13.tgz",
-      "integrity": "sha512-PNDFSJdP+KFgdsG3ZzMXCgquO7I6McjY2vlqILjtJd0hy8wEvtugS9xKRF2NWlPNGxvLCXlTNIae4serI7dinw==",
+      "version": "8.0.5",
+      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.5.tgz",
+      "integrity": "sha512-0PF8Yb1yZuQfQbq+5/pZJrtF6WQcjTd5/S4JOHs9PGFxuTqoB/icwuB44pOdURHJbRKX1PPoJZtY7R4VUoCC8w==",
       "license": "MIT-0",
       "engines": {
         "node": ">=6.0.0"
diff --git a/package.json b/package.json
index 3ffd4f6..cb1d5e6 100644
--- a/package.json
+++ b/package.json
@@ -5,16 +5,16 @@
   "private": true,
   "type": "module",
   "scripts": {
-  "dev": "nuxt dev --port 3100",
+    "dev": "nuxt dev --port 3100",
     "build": "nuxt build",
     "generate": "nuxt generate",
     "preview": "nuxt preview --port 3100",
     "start": "nuxt start --port 3100",
     "postinstall": "nuxt prepare",
-  "test": "vitest run",
-  "check-security": "node scripts/verify-no-public-writes.js",
-  "smoke-local": "BASE_URL=http://127.0.0.1:3100 node scripts/smoke-tests.js",
-  "sync-public-data": "node scripts/sync-public-data.js",
+    "test": "vitest run",
+    "check-security": "node scripts/verify-no-public-writes.js",
+    "smoke-local": "BASE_URL=http://127.0.0.1:3100 node scripts/smoke-tests.js",
+    "sync-public-data": "node scripts/sync-public-data.js",
     "test:watch": "vitest watch",
     "lint": "eslint . --fix"
   },
@@ -27,7 +27,7 @@
     "dompurify": "^3.3.1",
     "jsonwebtoken": "^9.0.2",
     "multer": "^2.0.2",
-    "nodemailer": "^7.0.9",
+    "nodemailer": "^8.0.5",
     "nuxt": "^4.1.3",
     "pdf-lib": "^1.17.1",
     "pdf-parse": "^2.4.5",