I don't see an npm.lock or yarn.lock file in this repo. It's recommended to commit that file and then allow your dependencies to to use the ^ so they automatically get minor/patch versions if consumers of mailparser want them.

Sorry, I like to fix all dependencies for my libraries and not use a lock file.

Sounds good. The biggest advantage of doing it though is that I wouldn't have had to create a PR and have you create a new release just to update nodemailer. If it was a minor or patch version I can just update my yarn.lock file to use a higher version of one of your dependencies as long as it's within the "range" (using ^).

Even though you've merged my PR to update nodemailer, I still can't use it until you release a new version to npm. With my suggestion above this isn't even an issue for me.