Skip to content

Bump mailsuite to >=2.2.1 (release 10.0.2)#783

Merged
seanthegeek merged 2 commits into
masterfrom
fix/mailsuite-2.2.1-empty-address
May 24, 2026
Merged

Bump mailsuite to >=2.2.1 (release 10.0.2)#783
seanthegeek merged 2 commits into
masterfrom
fix/mailsuite-2.2.1-empty-address

Conversation

@seanthegeek
Copy link
Copy Markdown
Contributor

@seanthegeek seanthegeek commented May 24, 2026
edited
Loading

Summary

Patch release 10.0.2 bumping the mailsuite requirement from >=2.2.0 to >=2.2.1.

mailsuite 2.2.1 raises the transitive mail-parser floor to >=4.2.1, which pulls in two upstream fixes:

  1. Phantom empty-address fix. mail-parser 4.2.1 stops returning a phantom ('', '') entry for absent address headers (Cc, Bcc, Reply-To, etc.) instead of an empty list. parsedmarc reads the mail-parser object directly through its own parse_email(), so this phantom flowed straight into output: an empty {address: ""} Cc/Bcc entry was indexed for every DMARC failure-report sample in Elasticsearch/OpenSearch, and emitted in JSON/S3/Kafka output.
  2. CVE-2023-27043 hardening. mail-parser 4.2.1 also adopts the stricter address parsing that hardens against CVE-2023-27043 (CVSS 5.3) — a Python email-module flaw where an RFC 2822 header containing a special character has the wrong portion identified as the addr-spec, which can let a crafted address bypass email-domain verification.

Verification

Upgraded the venv to mailsuite 2.2.1 / mail-parser 4.2.1 and re-parsed every sample in samples/failure/:

field before (mail-parser 4.1.4) after (4.2.1)
cc [{"address": "", ...}] []
bcc [{"address": "", ...}] []

Full test suite passes against the upgraded dependency (313 passed).

Out of scope (tracked separately)

  • Reply-To always empty for failure samples — a hyphen-vs-underscore key mismatch in parsedmarc's own parse_email() (reply_to vs mail-parser's reply-to), not an upstream issue. The mail-parser bump does not address it.
  • Failure dashboards — Splunk RUF dashboard renames the wrong field paths; the OpenSearch RUF "reply_to" column aggregates the In-Reply-To threading header instead of the Reply-To address.

🤖 Generated with Claude Code

seanthegeek and others added 2 commits May 24, 2026 12:48
@seanthegeek @claude
Bump mailsuite to >=2.2.1; release 10.0.2
12bd521 
mailsuite 2.2.1 raises the transitive mail-parser floor to >=4.2.1, which
stops mail-parser from returning a phantom ('', '') entry for absent address
headers (verified against samples/failure/* with mail-parser 4.2.1: cc/bcc
now parse to [] instead of [{address: ""}]). parsedmarc reads the mail-parser
object directly via its own parse_email(), so this previously caused an empty
{address: ""} Cc/Bcc entry to be indexed for every failure-report sample in
Elasticsearch/OpenSearch and emitted in JSON/S3/Kafka output.

The Reply-To-always-empty behavior in parsedmarc's own parse_email() (a
hyphen-vs-underscore key mismatch, not an upstream issue) and the failure
dashboards are out of scope here and tracked separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@seanthegeek @claude
docs: note CVE-2023-27043 hardening from mail-parser 4.2.1 in 10.0.2
9934a8e 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 24, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.58%. Comparing base (3f64e30) to head (9934a8e).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #783   +/-   ##
=======================================
  Coverage   85.58%   85.58%           
=======================================
  Files          17       17           
  Lines        4633     4633           
=======================================
  Hits         3965     3965           
  Misses        668      668

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@seanthegeek seanthegeek merged commit 2c8b2c0 into master May 24, 2026
11 checks passed
This was referenced May 24, 2026
Merged
Merged
seanthegeek added a commit that referenced this pull request May 24, 2026
@seanthegeek @claude
Land 10.0.3 changes on master (#785)
e104f11 
PR #784 was stacked on the #783 branch and its base was never retargeted to
master, so it merged into fix/mailsuite-2.2.1-empty-address instead of master.
master therefore has 10.0.2 (#783's squash) but is missing the 10.0.3 changes.

This re-lands exactly that delta — the Reply-To/Delivered-To parser fix, the
ES/OS Reply-To header flattening, and the Splunk/OpenSearch/Grafana failure
dashboard fixes, with the version bumped to 10.0.3. No mailsuite re-bump (the
>=2.2.1 floor is already on master from 10.0.2).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seanthegeek