Daniel Ruf

I think that we should refactor the css logic, because there are more problems which arise when custom fragments are used: ```html {% ignore1 %} a { {% ignore2 %}...

It seems the CVE record differs from https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181, which contains more details. Not sure why this is the case. I will clarify with Snyk. The described PoC does not work...

It seems no one really confirmed the actual issue here. See my addition regarding the `candidate` variable: https://github.com/kangax/html-minifier/issues/1135#issuecomment-2453388023 Detailed analysis and recommended mitigations: https://github.com/kangax/html-minifier/issues/1135#issuecomment-2453405484

> Cannot find module 'html-minifier-terser' This means the step with `npm i html-minifier-terser` was forgotten.

This fixes nothing. The sha1 hash is just used to create a hashtable (PerformanceResults in `get_driver_id`) and doesn't have to be cryptographically secure. For tests the performance is more relevant.

> To me the last 48 commits to this repository (all made by the same individual) are troubling. They all have a commit message of the form "Update {filename}", without...

See also https://github.com/tuupola/server-timing-middleware/issues/25#issuecomment-2102056831

That is because `

Can you provide a reproducible test case or steps to reproduce this?

Hm, right the files are there according to `phar extract -f ./phpstan.phar`. Even on my terminal `php -r "var_dump(file_exists('phar://C:/some/vendor/phpstan/phpstan/phpstan.phar/src/Reflection/SignatureMap/../../../vendor/phpstan/php-8-stubs/stubs/ext/mbstring/mb_strtolower.stub'));"` returns `true`. But `var_dump(stream_resolve_path('phar://C:/some/vendor/phpstan/phpstan/phpstan.phar/src/Reflection/SignatureMap/../../../vendor/phpstan/php-8-stubs/stubs/ext/mbstring/mb_strtolower.stub'));` returns `false`. `file_get_contents` always returns something and...