npm audit: html-minifier

Question

npm audit: html-minifier

pascalgrimaud opened this issue 3 months ago · comments

In current version v1.9.0, there are several warnings
I don't know if we can do something.
Any idea @Gnuk ?

➜ npm audit    
# npm audit report

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
No fix available
node_modules/html-minifier
  html2pug  >=0.0.1
  Depends on vulnerable versions of html-minifier
  node_modules/html2pug
    @tikui/core  *
    Depends on vulnerable versions of html2pug
    node_modules/@tikui/core

3 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Pascal Grimaud · Answer 1 · Tue Jun 04 2024 22:43:25 GMT+0800 (China Standard Time)

adding a small bounty to fix this warning

Aurélien Mino · Answer 2 · Wed Jun 05 2024 03:51:39 GMT+0800 (China Standard Time)

I already investigated using an alternative library for html2pug on the tikui side, I'll finish my work and push it.

Anthony Rey · Answer 3 · Tue Jun 11 2024 20:30:22 GMT+0800 (China Standard Time)

We released a new version of Tikui core yesterday with the alternative. Thanks @murdos for the PR.

Aurélien Mino · Answer 4 · Sun Jul 28 2024 04:37:51 GMT+0800 (China Standard Time)

@pascalgrimaud : bounty claimed: https://opencollective.com/generator-jhipster/expenses/213109

Pascal Grimaud · Answer 5 · Sun Jul 28 2024 12:50:28 GMT+0800 (China Standard Time)

@murdos : approved