juice
juice copied to clipboard
Automattic
Prototype pollution vulnerability affecting cheerio and juice package
This package uses cheerio ^0.22.0 and cheerio uses [email protected] . snyk has reported a vulnerability https://snyk.io/vuln/SNYK-JS-LODASHMERGE-173732
Steps to reproduce the behavior: Run the synk cli tool on this package
Description: Prototype Pollution Info: https://snyk.io/vuln/SNYK-JS-LODASHMERGE-173732 From: [email protected] > [email protected] > [email protected]
lodash has published latest version to fix this. cheerio has fix in RC 1.0.0-rc.3.
any idea when we can fix it?
Is juice willing to upgrade to cheerio v1 RC? Or is it better to get cheerio to release 0.22.1 (or 0.23.0).
I don't know what the plans are, and security is very important yes, but one nasty thing I remember the latest Cheerio doing is that its parser automatically inserts <tbody> tags in every <table>.
This can result in CSS selectors not working anymore, and it increases the HTML file size to absolutely no benefit: <tbody> is optional, and with emails this is very important, as Gmail cuts off emails that are over ~102KB in size (discussion).
Someone will need to try the upgrade and see how much breakage it causes in the tests so we can decide what to do. If people really hate tbody tags they could write a post-processor option to strip them all, which maybe is useful in general. I don't feel like tbody tags happen with enough frequency for that to be important, but they do affect selector specificity for anyone that had table > tr and suddenly that won't match anything if cheerio is inserting tbody tags.
Also, I'm not only talking about this in reference to the issue in lodash, in general I'd rather be up to date on dependencies and deal with changes in them instead of being like "yeah, that 0.x version of cheerio was awesome and it went downhill from there" which is ridiculous 😝
A new version of lodash.merge has been published, so the immediate issue has been fixed.