hexo-html-minifier icon indicating copy to clipboard operation
hexo-html-minifier copied to clipboard

Published 20 hours ago verified publisher icon hexojs

Maybe Replace `html-minifier` with `htmlnano` or `html-minifier-terser` due to security vulnerabilities

Open RoversX opened this issue 6 months ago • 3 comments

Check List

  • [X] I have already read README.
  • [X] I have already searched existing issues.
  • [X] I have already searched existing pull requrests.

Feature Request

I noticed that the hexo-html-minifier project currently depends on html-minifier (version ^4.0.0), which has a high-severity security vulnerability (REDoS). Unfortunately, html-minifier is no longer actively maintained, and there is no fix available for this issue.

npm audit
# npm audit report

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
No fix available
node_modules/html-minifier
  hexo-html-minifier  *
  Depends on vulnerable versions of html-minifier
  node_modules/hexo-html-minifier

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

So maybe we should replace html-minifier with html-minifier-terser or htmlnano ? Thank you!

Additional context

No response

RoversX avatar Aug 27 '24 10:08 RoversX