minify-html-literals
minify-html-literals copied to clipboard
asyncLiz
CVE-2022-37620: High Vulnerability with html-minifier
Hello! First off, thanks a bunch for this package. It's extremely helpful.
I was alerted via Dependabot about an issue with html-minifier as I'm using minify-html-literals with esbuild in a few projects. It looks like this library depends on html-minifier which is why it landed in our dependency graph.
At any rate, it appears that html-minifier has an open vulnerability from 2022: https://nvd.nist.gov/vuln/detail/CVE-2022-37620.
It also appears as though html-minifier is no longer maintained.
- https://github.com/kangax/html-minifier/issues/1151
- https://github.com/kangax/html-minifier/issues/1135
I was wondering if you'd be open to switching to one of the options instead?
- https://github.com/posthtml/htmlnano
- https://www.npmjs.com/package/html-minifier-terser
I'd be happy to take a stab at opening a PR trying this. I mostly wanted to see if a) this was on your radar b) if you'd be open to it.
Thank you!
Hi! like @ynotdraw said, I cannot understate how this set of packages are useful for Lit users (and beyond).
I was hitting a few issues, so over time I decided to rehaul things a bit, at least on infra and deps, while keeping API the same.
If anyone is interested, I've made a fork combining all three packages: https://github.com/JulianCataldo/literals
Non-exhaustive list of what has been done from the initial repos (3 projects):
- Migrate everything to ESM
- Migrate to
html-minifier-terser(using Terser) versushtml-minifier(using Uglify)- Upgrade nearly all dependencies
- Update tests for ESM compatibility
- Migrate to a PNPM-managed mono repo by merging the three forked repos histories
- Centralize most tooling to root (lint-staged, husky, prettier…)
- Remove old/broken tools (ts-node CJS setup, mocha, nyc, jasmine, coveralls, travis…)
- Set up modern test tooling (
node:testwith baretsc, c8…)- Setup a CI/CD with Lerna-lite backed releases
- Pin problematic dependencies before a full upgrade
- Add demos
- Security: added NPM package provenance and PNPM signatures audit in CI
While keeping all tests greens (no release if CI is unhappy).
Bye :)
Thanks a lot for your work on this @JulianCataldo - I just sponsored you via your BMAC. If other people find your fork usefull, sponsoring it is a good way to make sure it will remain supported.
It would be nice if @asyncLiz could mark the projects as not maintained and add a like to your fork.
Hey y'all! I'm really sorry that I've let this project slip. I'll add an item to my to-do list to update the readmes on these repos.
No worries @asyncLiz, I (and probably many others) have used your packages for a few years, thanks for your work on it 🙏
If it helps I can upload PR to the repos adding a note at the begnning of the README:
[!NOTE] This repository is not maintained any more, see JulianCataldo/literals for updates.
Let me know if this helps and what message you'd like to see there.
Thanks!
Closing as fixed in #57. I still have an item on my todo list to update readmes and stuff for this repo, thanks for your patience y'all!
Hey @asyncLiz! No problem, the fixes were relatively painless after all ^^. Terser kept the same options API as Uglify, with some minor changes, but none that breaking tests, thankfully. I'll try to migrate CleanCSS and MagicString, too. I've already fiddled around and this is doable. Mostly typings mismatches.
Anyway, thanks again for this indispensable toolset you made 🙏. It proved me recently to be well working with SSR+hydration, too!