Critical NPM Vulnerability in 'Gulp-Mail' Dependency


I was auditing a client’s repo using the Foundation 2 email stack and noticed ‘gulp-mail’ is using an extremely depreciated version of nodemailer, which is susceptible to command injection. ‘gulp-mail’ hasn’t been updated in 2 years and there doesn’t seem to plans to address the problem, so it seems this issue could remain persistent as long as this dependency is being used in the build.