html-minifier high security vulnerability
grybykm opened this issue · comments
# npm audit report
html-minifier *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
node_modules/html-minifier
vite-ssg >=0.5.0
Depends on vulnerable versions of html-minifier
node_modules/vite-ssg
Hi,
Kangax html-minifier has no update on npm for 5 years. From this issue kangax/html-minifier#1135 some people recommand to use a fork https://www.npmjs.com/package/html-minifier-terser
How would you go about swapping these if using NPM, since it's a dependency for a dependency?
Hi, Kangax html-minifier has no update on npm for 5 years. From this issue kangax/html-minifier#1135 some people recommand to use a fork https://www.npmjs.com/package/html-minifier-terser
Exactly! Thank you as I was swinging by here to bring over this comment link:
kangax/html-minifier#1135 (comment)
I think this might have to be solved by switching the deps in this project. I'm not sure how to do that yet though, as antfu uses/used a different environment that I don't work with much as an old schooler... so I never really got over the initial learning curve to even try and help out with this project constructively. :(
If any one can send me a tut link for this flavor of a local development stack used here in vite-ssg, i can try to carve out an afternoon to finally wrap my head around it and then take a stab at swapping out the vulnerable dep for the html-minifier-terser one that's being maintained more.
Otherwise, cheers and happy hacking, everyone!
How would you go about swapping these if using NPM, since it's a dependency for a dependency?
The first thing to try in a downstream repo dependent on this repo, would probably be this approach:
https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides
Note, have not tried that yet though. But this would be the path of least resistance, theoretically. cheers!
I have also the problem. Do you know if it's planned to resolve this problem in vite-ssg module ?