@nestjs-modules/mailer has deprecated packages (vm2 npm)

Question

When a trying to install @nestjs-modules/mailer, I received this message:

The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

Obviously, i don't feel safe working with this package. Do you know how to solve this issue? How to send an email with nestJs in a secure way?

I'm trying to send emails in a secure way with NestJS, and I need documentation without deprecated packages.

Answer 1

hope my answer helps,

Its because one of the @nestjs-modules/mailer nested dependencies - degenerator uses as dependency vm2 package, but now vm2 is vulnerable. Thats why in the latest major update of degenator they switched from vm2 to quickjs-emscripten, here is the CHANGELOG.

In our project we updated degenerator to latest version to avoid vulnerability issues.

"resolutions": {
    "degenerator": "5.0.1"
 }

Or you can use other package for mailing.

Dependency graph of @nestjs-modules/mailer package

Answer 2

I'm cutting out the third party wrapper module and using nodemailer directly in my side project. Pretty easy to write your own wrapper module and modify as necessary.

There is a merged PR, but it is unreleased and it seems many people in the comments have moved away from the package as well