Dependency: html-minifier REDoS vulnerability about mjml HOT 4 CLOSED

this vulnerability isn't anything new

Ok, great but the current version 4-15-3 explodes the terminal 💥

Is there feature parity between mjml-5 and mjml@4-15-3?

from mjml.

Confirmed.
This needs a dependency cleanup asap. I work with mjml on most of my projects and this vulnerabilities are not good to keep.
Maybe html-minifier will patch the vulnerability on their end and MJML can follow up with it and patch it here.

from mjml.

html-minifier seems to be unmaintained. kangax/html-minifier#1135

from mjml.

Closing as duplicate of #2589

For what it's worth : this vulnerability isn't anything new. We started to check alternatives as html-minifier doesn't seem to be updated anymore :

• switch to a different package html-minifier-terser is way too big as a dependency to be worth considering, htmlnano seem to be the best candidate
• forking html-minifier as mjml-html-minifier and patch it ourself : I think that could work too as we can just remove unused feature for MJML. I'm nowhere near an expert level in tokenizer so I don't know how to properly patch out the reDos vulnerability that html-minifier has.
• removing completely minifying as an option and let users pipe the result in w/e library: not ideal IMO as some email doesn't work in some email clients when not properly minified.

You can check https://www.npmjs.com/package/mjml/v/5.0.0-alpha.1 this version remove html-minifier and js-beautify. It relies on htmlnano and prettier instead.

➜  mjml-5 yarn audit
yarn audit v1.22.22
0 vulnerabilities found - Packages audited: 224
➜  mjml-5 npm audit
found 0 vulnerabilities

from mjml.