Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
org.webjars.npm:nodemailer-smtp-pool
Advanced tools
Applies for Nodemailer v1.x and not for v0.x where transports are built-in.
Install with npm
npm install nodemailer-smtp-pool
Require to your script
var nodemailer = require('nodemailer');
var smtpPool = require('nodemailer-smtp-pool');
Create a Nodemailer transport object
var transporter = nodemailer.createTransport(smtpPool(options))
Where
true
) or not (if false
)true
then logs to console. If value is not set or is false
then nothing is loggedfalse
) limits the message count to be sent in a second. Once rateLimit is reached, sending is paused until the end of the second. This limit is shared between connections, so if one connection uses up the limit, then other connections are paused as wellAlternatively you can use connection url with protocol 'smtp:' or 'smtps:'. Use query arguments for additional configuration values.
Pooled SMTP transport uses the same options as SMTP transport with the addition of maxConnections and maxMessages.
Example
var transport = nodemailer.createTransport(smtpPool({
host: 'localhost',
port: 25,
auth: {
user: 'username',
pass: 'password'
},
// use up to 5 parallel connections
maxConnections: 5,
// do not send more than 10 messages per connection
maxMessages: 10,
// no not send more than 5 messages in a second
rateLimit: 5
}));
Or with connection url (gmail)
var transporter = nodemailer.createTransport(
smtpTransport('smtps://username%40gmail.com:password@smtp.gmail.com')
);
The following events are emitted by this transport
Emitted if there are free slots in the connection pool.
Check with .isIdle()
method if these free slots are still available.
Using this method makes sense if you maintain your own queue (for example pull from some queue service).
var messages = [...'list of messages'];
transporter.on('idle', function(){
// send next messages from the pending queue
while(transporter.isIdle() && messages.length){
transporter.send(messages.shift());
}
});
If authentication data is not present, the connection is considered authenticated from the start.
Set authentcation data with options.auth
Where
pass
and xoauth2
values are set) or an XOAuth2 token generator object.If a XOAuth2 token generator is used as the value for auth.xoauth2
then you do not need to set the value for auth.user
. XOAuth2 generator generates required accessToken
itself if it is missing or expired. In this case if the authentication fails, a new token is requested and the authentication is retried once. If it still fails, an error is returned.
Install xoauth2 module to use XOauth2 token generators (not included by default)
npm install xoauth2 --save
XOAuth2 Example
NB! The correct OAuth2 scope for Gmail is
https://mail.google.com/
var generator = require('xoauth2').createXOAuth2Generator({
user: '{username}',
clientId: '{Client ID}',
clientSecret: '{Client Secret}',
refreshToken: '{refresh-token}',
accessToken: '{cached access token}' // optional
});
// listen for token updates
// you probably want to store these to a db
generator.on('token', function(token){
console.log('New token for %s: %s', token.user, token.accessToken);
});
// login
var transport = nodemailer.createTransport(smtpPool({
service: 'gmail',
auth: {
xoauth2: generator
},
maxConnections: 5,
maxMessages: 10
}));
If you do not want to specify the hostname, port and security settings for a well known service, you can use it by its name (case insensitive).
smtpPool({
service: 'gmail',
auth: ..
});
See the list of all supported services here.
Close all connections with close()
transport.close();
You can verify your configuration with verify(callback)
call. If it returns an error, then something is not correct, otherwise the server is ready to accept messages.
// verify connection configuration
transporter.verify(function(error, success) {
if (error) {
console.log(error);
} else {
console.log('Server is ready to take our messages');
}
});
MIT
FAQs
WebJar for nodemailer-smtp-pool
We found that org.webjars.npm:nodemailer-smtp-pool demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.