Dependency: html-minifier REDoS vulnerability
boxexchanger opened this issue · comments
Describe the bug
31 high severity vulnerabilities
html-minifier *
Severity: high
kangax html-minifier REDoS vulnerability - GHSA-pfq8-rq6v-vf5m
To Reproduce
Steps to reproduce the behavior:
- Init new project and install
npm i mjml
- check
npm audit
result will be 31 high severity vulnerabilities
Expected behavior
found 0 vulnerabilities
Environment:
nodejs v20.11.1 + mjml 4.15.3
Confirmed.
This needs a dependency cleanup asap. I work with mjml on most of my projects and this vulnerabilities are not good to keep.
Maybe html-minifier
will patch the vulnerability on their end and MJML can follow up with it and patch it here.
html-minifier
seems to be unmaintained. kangax/html-minifier#1135
Closing as duplicate of #2589
For what it's worth : this vulnerability isn't anything new. We started to check alternatives as html-minifier doesn't seem to be updated anymore :
- switch to a different package html-minifier-terser is way too big as a dependency to be worth considering, htmlnano seem to be the best candidate
- forking html-minifier as
mjml-html-minifier
and patch it ourself : I think that could work too as we can just remove unused feature for MJML. I'm nowhere near an expert level in tokenizer so I don't know how to properly patch out the reDos vulnerability thathtml-minifier
has. - removing completely minifying as an option and let users pipe the result in w/e library: not ideal IMO as some email doesn't work in some email clients when not properly minified.
You can check https://www.npmjs.com/package/mjml/v/5.0.0-alpha.1 this version remove html-minifier and js-beautify. It relies on htmlnano and prettier instead.
➜ mjml-5 yarn audit
yarn audit v1.22.22
0 vulnerabilities found - Packages audited: 224
➜ mjml-5 npm audit
found 0 vulnerabilities