Skip to content

Bump github.com/wneessen/go-mail from 0.5.2 to 0.7.1#2

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/wneessen/go-mail-0.7.1
Open

Bump github.com/wneessen/go-mail from 0.5.2 to 0.7.1#2
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/wneessen/go-mail-0.7.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 5, 2026

Copy link
Copy Markdown

Bumps github.com/wneessen/go-mail from 0.5.2 to 0.7.1.

Release notes

Sourced from github.com/wneessen/go-mail's releases.

v0.7.1: Vulnerability fix in mail address handling

[!IMPORTANT] This release fixes a vulnerability. All users are encouraged to update to this release at their earliest convenience.

Welcome to go-mail v0.7.1!

This is a security release, which addresses a bug that causes insufficient address encoding when passing mail addresses to the SMTP client, which could lead to possible wrong address routing or even to ESMTP parameter smuggling.

The details of the bug are outlined in #495 and in the go-mail security advisory: GHSA-wpwj-69cm-q9c5 Github assigned the following CVE for this vulnerability: CVE-2025-59937

The vulnerability has been reported by xclow3n. Thank you very much for the detailed report and the thorough testing!

What's Changed

Full Changelog: wneessen/go-mail@v0.7.0...v0.7.1

v0.6.2: Bugfix release

Welcome to go-mail v0.6.2! This release fixes some bugs and makes go-mail ready for Go 1.24.

Fix regression of custom SMTP authentication handling

PR #429 fixes a regression in the handling of custom smtp.Auth methods that was introduced with the v0.6.0 release. Basically, if a custom SMTP auth method was provided, it was simply ignored. Thanks to @​james-d-elliott of the Authelia project for reporting this.

Fix possible nil pointer derefernece in SendWithSMTPClient

With commit wneessen/go-mail@4641da4 we fixed a possible nil pointer dereference in the SendWithSMTPClient method. This would happen if a nil message would be provided to the method. This bug was reported using Github's private vulnerability reporting feature by @​younes199511. Thanks for the report!

Header count logic improvements

PR #421 fixed an issue in the header count logic that is used for S/MIME signing. If a header was broken into mutliple lines due to its lenght, the count logic was giving false results, resulting into false content for the S/MIME signature. Thanks to @​theexiile1305 for reporting the issue and helping to debug the issue!

Go 1.24 readiness

The PRs #431 and #433 make go-mail and its CI ready for Go 1.24.

What's Changed

CI/CD maintenance changes

Full Changelog: wneessen/go-mail@v0.6.1...v0.6.2

v0.6.1: Fix for multipart message rendering

... (truncated)

Commits
  • 42e92cf Merge pull request #496 from wneessen/bugfix/495_mail-address-parsing
  • c3c0757 Refactored error handling and return values across multiple files
  • 06b3fce Fixed test case and replaced hidden Unicode character for address injection t...
  • 158baff Bumped version to v0.7.1
  • 591f073 Added tests to validate email address injection handling
  • f61143a Refactored sender handling to make use of net/mail's mail address stringifica...
  • 0dcdac6 Added test for handling quoted local-part in recipients (issue #495)
  • ff718ad Refactored recipient handling to make use of net/mail's mail address stringif...
  • ac1eb03 Merge pull request #494 from wneessen/switch-pbkdf2-to-stdlib
  • 0508d94 Removed internal PBKDF2 implementation and replaced with Go's standard library
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump github.com/wneessen/go-mail from 0.5.2 to 0.7.1
50801f4 
Bumps [github.com/wneessen/go-mail](https://github.com/wneessen/go-mail) from 0.5.2 to 0.7.1.
- [Release notes](https://github.com/wneessen/go-mail/releases)
- [Commits](wneessen/go-mail@v0.5.2...v0.7.1)

---
updated-dependencies:
- dependency-name: github.com/wneessen/go-mail
  dependency-version: 0.7.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants