chore(deps): update dependency mailparser to v3.9.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mailparser	3.7.4 → 3.9.3

Review

• Updates have been tested and work
• If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

---

mailparser vulnerable to Cross-site Scripting

CVE-2026-3455 / GHSA-7gmj-h9xc-mcxc

More information

Details

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

Severity

• CVSS Score: 2.0 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-3455
• https://github.com/nodemailer/mailparser/issues/412
• https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08
• https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a
• https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032
• https://github.com/advisories/GHSA-7gmj-h9xc-mcxc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

mailparser vulnerable to Cross-site Scripting

CVE-2026-3455 / GHSA-7gmj-h9xc-mcxc

More information

Details

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.

Severity

• CVSS Score: 2.0 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-3455
• https://github.com/nodemailer/mailparser/issues/412
• https://github.com/nodemailer/mailparser/commit/921a67df4cfb38f0b411037d7b26fbd4d5411b08
• https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a
• https://github.com/nodemailer/mailparser
• https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nodemailer/mailparser (mailparser)

v3.9.3

Compare Source

Bug Fixes

• escape URLs and link text in textToHtml to prevent XSS (921a67d), closes #​412

v3.9.2

Compare Source

Bug Fixes

• Bumpe deps (508bcf7)

v3.9.1

Compare Source

Bug Fixes

• update dependencies (6879d1b)

v3.9.0

Compare Source

Features

• events: Emit a new headerLines event to gain access the raw headers (#​364) (d33d7ec)

Bug Fixes

• ⬆️ update nodemailer dependency to resolve security issue GHSA-9h6g-pr28-7cqp (#​357) (8bc4225)
• 150 (919f69a)
• 272: Throw TypeError for invalid input. (abd7e43)
• 34, bump version (09aa0bd)
• bumped deps (9a13f4e)
• Bumped deps (bb9c014)
• Bumped deps (9e084f9)
• Bumped mailsplit to fix flowed parser (da753e4)
• capture decoder end event to use on cleanup (4e367f7)
• deploy: added auto-deployment (d6eb56f)
• deps: Bumped deps (db842ad)
• deps: Bumped deps to fix issue with missing whitespace (92884d0)
• deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)
• deps: Replaced 'punycode' with 'punycode.js' module (4a15157)
• error on ks_c_5601-1987 (89572e0)
• Fix produced text address list string according to rfc 2822 (#​340) (6bae600)
• handle simpleParser input stream error (faf9fc5)
• punycode: Fixes #​355 Deprecation warning of the punycode module (#​356) (0f35330)
• simple-parser: Buffer.from(string) default encode is utf-8,when input string‘s encode is gbk,result has some garbled (633e436)
• test: updated test matrix (18, 20, 21) (a2ba9c2)
• trigger new build (3cf6241)
• trigger new build (7f2eb78)

v3.8.1

Compare Source

Bug Fixes

• trigger new build (7f2eb78)

v3.7.5

Compare Source

Bug Fixes

• bumped deps (9a13f4e)

---

Configuration

📅 Schedule: (in timezone America/Montreal)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.