html-webpack-plugin icon indicating copy to clipboard operation
html-webpack-plugin copied to clipboard
verified publisher icon jantimon

CVE-2022-37620 html-minifier-terser dependency vulnerability

Open CodeByCalvin opened this issue 7 months ago • 5 comments

OWASP is currently throwing the following security vulnerability error from the latest version of html-webpack-plugin (5.6.3):

One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 

html-minifier-terser:^6.0.2 (pkg:npm/[email protected], cpe:2.3:a:terser:html-minifier-terser:6.1.0:*:*:*:*:*:*:*): CVE-2022-37620(7.5)

See the dependency-check report for more details.

CodeByCalvin avatar May 20 '25 14:05 CodeByCalvin

Any updates on this? Maybe it would be worth changing to a more maintained fork html-minifier-next.

See also https://github.com/terser/html-minifier-terser/issues/197

JohannesWi avatar Aug 15 '25 06:08 JohannesWi

@JohannesWi You can disable minifier here and use https://github.com/webpack-contrib/html-minimizer-webpack-plugin, it will be remove in the next major release from here in favor this plugin

alexander-akait avatar Aug 15 '25 12:08 alexander-akait

Hi @alexander-akait, do we know when is the next major release to fix this issue?

terrance456 avatar Oct 06 '25 07:10 terrance456

@terrance456 I think current month, we need a little bit more work here

alexander-akait avatar Oct 06 '25 12:10 alexander-akait

@terrance456 I think current month, we need a little bit more work here

Any update on this issue?

tomkuipers avatar Dec 08 '25 12:12 tomkuipers