Fix CI: resolve nodemailer v8 / next-auth v4 peer dependency conflict#113
Fix CI: resolve nodemailer v8 / next-auth v4 peer dependency conflict#113DarkModder33 merged 4 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Agent-Logs-Url: https://github.com/DarkModder33/main/sessions/556b6e63-92e0-42ba-9745-6cdbfa1366e6 Co-authored-by: DarkModder33 <254196519+DarkModder33@users.noreply.github.com>
…nflict Add .npmrc with legacy-peer-deps=true to allow npm to install nodemailer@^8.0.5 alongside next-auth@4.24.13 which requires nodemailer@^7.0.7 as an optional peer dependency. This keeps the security-patched nodemailer v8 (which fixes SMTP command injection vulnerabilities GHSA-c7w3-x93f-qmm8 and GHSA-vvjj-xcjg-gr5g) instead of downgrading to the vulnerable v7. Agent-Logs-Url: https://github.com/DarkModder33/main/sessions/556b6e63-92e0-42ba-9745-6cdbfa1366e6 Co-authored-by: DarkModder33 <254196519+DarkModder33@users.noreply.github.com>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
We encountered an error and are unable to review this PR. We have been notified and are working to fix it.
You can try again by commenting this pull request with @sourcery-ai review, or contact us for help.
🔗 Link AuditStatus: ✅ Passed |
Qodana for JVM53 new problems were found
☁️ View the detailed Qodana report Contact Qodana teamContact us at qodana-support@jetbrains.com
|
There was a problem hiding this comment.
Pull request overview
Resolves CI npm ci failures caused by an optional peer-dependency range mismatch between next-auth@4.24.13 (expects nodemailer@^7) and the repo’s pinned nodemailer@^8.0.5.
Changes:
- Adds
legacy-peer-deps=trueto.npmrcto bypass peer-dependency resolution conflicts during installs. - Regenerates
package-lock.jsonunder the new install resolution behavior. - Updates the generated typed-routes import path in
next-env.d.ts.
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.npmrc |
Forces npm to use legacy peer dependency resolution to unblock npm ci. |
package-lock.json |
Lockfile regenerated to reflect the new peer-deps resolution behavior while keeping nodemailer@8.0.5. |
next-env.d.ts |
Adjusts the typed routes import path under .next/. |
| @@ -0,0 +1 @@ | |||
| legacy-peer-deps=true | |||
There was a problem hiding this comment.
Committing legacy-peer-deps=true at the repo root disables peer-dependency resolution checks for all npm install/ci runs (including nested projects like ai-micro/). That can mask genuine peer incompatibilities and make installs less predictable. Consider scoping this to CI only (e.g., pass --legacy-peer-deps or set NPM_CONFIG_LEGACY_PEER_DEPS=true in the affected workflows), or eliminate the root cause by removing the unused nodemailer dependency (no code references found) so the optional next-auth peer is simply absent.
| legacy-peer-deps=true |
npm cifails in CI becausenext-auth@4.24.13declares an optional peer dep onnodemailer@^7.0.7, but the project pinsnodemailer@^8.0.5— npm 7+ treats this as an unresolvable conflict and exits non-zero.Changes
.npmrc— addslegacy-peer-deps=trueto restore npm 6-style peer dep resolution, allowing the optional version mismatch to be accepted without downgradingpackage-lock.json— regenerated against the updated resolution strategy, keepingnodemailer@8.0.5(patches SMTP command injection CVEs GHSA-c7w3-x93f-qmm8 and GHSA-vvjj-xcjg-gr5g present in all of v7.x)Downgrading
nodemailerto v7 was intentionally avoided — v7 has known SMTP injection vulnerabilities with no fix short of v8.0.5, and the app has no directnodemailerusage.