CVE-2022-37620 & switch to htmlnano

[kevbarns]

it appears the CVE-2022-37620 won't get fixed in the html-minify package, not maintained anymore as it appears, see kangax/html-minifier#1135

On alternative would be to switch to https://github.com/posthtml/htmlnano.

[iRyusa]

Might be a good alternative as its roughly the same size as html-minifier

[santialbo]

has anyone found a combination of htmlnano options and preset that works well everywhere?

I tried

• minifyCss: false
• preset "safe"

but emails are rending blank for some customers of us...

[santialbo]

has anyone found a combination of htmlnano options and preset that works well everywhere?

I tried

* minifyCss: false

* preset "safe"

but emails are rending blank for some customers of us...

fixed by maltsev/htmlnano#278

[spotlesscoder]

any updates on this?

[PeterJCLaw]

https://github.com/terser/html-minifier-terser might be another alternative. From my experience (one fairly small project, CLI usage only) the options are pretty much completely compatible, so making the move miiight be simpler than htmlnano.

[iRyusa]

Minifier-terser is at least 4x the size of htmlnano so it’s not considered as a replacement for us.On 14 May 2024, at 20:53, Peter Law ***@***.***> wrote: https://github.com/terser/html-minifier-terser might be another alternative. From my experience (one fairly small project, CLI usage only) the options are pretty much completely compatible, so making the move miiight be simpler than htmlnano. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[iRyusa]

Forgot to mention in this thread, but MJML 5 is available in experimental branch https://www.npmjs.com/package/mjml/v/5.0.0-alpha.4 fixing this CVE with htmlnano + prettier as a 1-1 replacement. I'm not entirely convinced about prettier as a replacement of js-beautify but couldn't find a minimalistic formatter for MJML yet. If this CVE could affect you in some way, you should go on experimental branch for now.

…

Message ID: ***@***.***>

[azuisleet]

The first call to mjmlto2html on the experimental branch seems to take a long time. It appears htmlnano is lazily loading a bunch of modules. The ANR stack trace I have shows htmlnano/minifyCss as the culprit, but I don't really know why since it's explicitly disabled:

https://github.com/mjmlio/mjml/blob/fix/replace-html-minifier/packages/mjml-core/src/index.js#L404

For now I'm warming this call on application start until I can investigate this further.

[wilau2]

https://www.npmjs.com/package/html-minifier-terser
someone forked html-minifier this could be a quick win ?

[joh-klein]

Any updates on this?

[balboFK]

Hello! @iRyusa can we have any updates on this? Its been almost an year since openning now. And i dont really know where to follow if this is being acted on.
Thanks!

[iRyusa]

As said earlier there’s an experimental branch with latest alpha available.On 31 Oct 2024, at 17:47, Eduardo Marques Balbo ***@***.***> wrote: Hello! @iRyusa can we have any updates on this? Its been almost an year since openning now. And i dont really know where to follow if this is being acted on. Thanks! —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>