postal-mime is an email parsing library for Node.js, web browsers (including Web Workers), and serverless environments (such as Cloudflare Email Workers). It parses raw RFC822 email data into a structured object with headers, recipients, attachments, and more, including support for complex MIME parts and nested multiparts.
Project status
- The repository (postalsys/postal-mime) appears actively maintained, with multiple recent updates, the latest on 2026-03-17, and earlier updates in early January 2026.
- Update cadence looks moderately regular, with v2.7.2 on 2026-01-08, v2.7.3 on 2026-01-09, and v2.7.4 on 2026-03-17 (roughly weeks to a couple months between updates).
AI summary generated Today
Recent updates
v2.7.4
2 months agopostal-mime v2.7.4 is a bug-fix release focused on RFC 2047 encoded-word handling and improving header metadata support. The release also updates TypeScript typings and runtime output to include original header casing, and tightens parsing behavior to avoid fabricated email addresses from unsafe encoded words.
BreakingSecurityv2.7.3
4 months agov2.7.3 primarily updates the TypeScript type definitions to better match the library implementation. The release notes only mention this generally, while the actual diff shows concrete type shape changes in exported public types.
v2.7.2
5 months agov2.7.2 focuses on MIME parsing robustness, adding null checks around `contentType.parsed` access and improving RFC 2046 parsing behavior. The code diff also includes additional RFC compliance changes that are not explicitly called out in the release notes, including new defaults for `multipart/digest` parts and stripping RFC 822 comments from structured headers.
v2.7.1
5 months agov2.7.1 is a small patch release focused on preventing crashes when parsing mail parts that may not include a fully-populated contentDisposition structure. The main code change adds null-safe access around contentDisposition.parsed usage.
v2.7.0
5 months agov2.7.0 introduces a new `headerLines` property on parsed emails, intended to expose the raw header lines, including merged folded headers. The TypeScript definitions, tests, and the changelog are updated accordingly. No other major release-note items are mentioned.
Featuresv2.6.1
6 months agov2.6.1 adds a safeguard to prevent denial of service from deeply nested address groups in the address parser. It also updates TypeScript type definitions to better match the actual runtime structures returned by the library.
v2.6.0
7 months agov2.6.0 adds CommonJS compatibility for postal-mime, enabling use with require() in addition to existing ESM usage. The change is implemented by introducing a new build step that emits CommonJS artifacts to dist using esbuild, and updating package.json entrypoints/exports accordingly.
Featuresv2.5.0
8 months agoRelease v2.5.0 adds comprehensive TypeScript support, including new type-checking and runtime type-validation tests. The changes primarily focus on exposing and validating the package's TypeScript types, and updating the test and build setup to enforce type correctness.
Featuresv2.4.7
8 months agov2.4.7 includes a targeted fix in address parsing to prevent email address extraction from quoted strings, plus a broad set of newly added tests. The code diff also shows additional parsing logic changes (quoting state tracking, token joining, and nested group flattening) and a notable TypeScript type definition refactor in postal-mime.d.ts.
BreakingSecurityv2.4.6
8 months agov2.4.6 adds security-focused limits to MIME parsing to mitigate resource abuse. The implementation enforces a maximum MIME nesting depth and a maximum cumulative header size, throwing errors when limits are exceeded, and it updates TypeScript typings.
SecurityFeatures