Comments (4)
this vulnerability isn't anything new
Ok, great but the current version 4-15-3
explodes the terminal 💥
Is there feature parity between mjml-5
and mjml@4-15-3
?
from mjml.
Confirmed.
This needs a dependency cleanup asap. I work with mjml on most of my projects and this vulnerabilities are not good to keep.
Maybe html-minifier
will patch the vulnerability on their end and MJML can follow up with it and patch it here.
from mjml.
html-minifier
seems to be unmaintained. kangax/html-minifier#1135
from mjml.
Closing as duplicate of #2589
For what it's worth : this vulnerability isn't anything new. We started to check alternatives as html-minifier doesn't seem to be updated anymore :
- switch to a different package html-minifier-terser is way too big as a dependency to be worth considering, htmlnano seem to be the best candidate
- forking html-minifier as
mjml-html-minifier
and patch it ourself : I think that could work too as we can just remove unused feature for MJML. I'm nowhere near an expert level in tokenizer so I don't know how to properly patch out the reDos vulnerability thathtml-minifier
has. - removing completely minifying as an option and let users pipe the result in w/e library: not ideal IMO as some email doesn't work in some email clients when not properly minified.
You can check https://www.npmjs.com/package/mjml/v/5.0.0-alpha.1 this version remove html-minifier and js-beautify. It relies on htmlnano and prettier instead.
➜ mjml-5 yarn audit
yarn audit v1.22.22
0 vulnerabilities found - Packages audited: 224
➜ mjml-5 npm audit
found 0 vulnerabilities
from mjml.
Related Issues (20)
- Extra quotes in CSS url() from <mj-section /> background-url HOT 9
- <!--[if !mso]><!--> mso conditional statement not being exported correctly HOT 2
- mj-columns in gmail looking as mobile view not flexed HOT 1
- mj-include tag throwing errors on style import and imports in the head tag HOT 5
- Can't get keepComments flag to work HOT 4
- Image width in outlook is overflowing HOT 2
- Issues with rendering in outlook HOT 1
- DeprecationWarning: The `punycode` module is deprecated on node 21 HOT 2
- "try it live"-Function now not working any more HOT 1
- New Twitter X logo not being rendered with <mj-social-element name="x" href="#"> HOT 1
- Just the basics HOT 3
- Navbar without hamburger unnecessary css HOT 1
- `mj-font` only emits the last style sheet for the font family HOT 1
- Font sizes increase in Gmail on iPhone XS HOT 6
- Append invisible characters to <mj-preview> HOT 1
- CORS request did not succeed, missing CORS header (mjml/api) HOT 2
- `mjml2html` render in web worker throws `Uncaught ReferenceError: window is not defined` HOT 2
- Support DATA variable in href or button HOT 1
- Icon with text/Column within Column HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mjml.