Html-minifier 4.0.0 has security issues

[pnesarajah]

Can you please bump version of html-minifier from 4.0.0 to 4.0.2 or 4.0.4 to resolve this CVE:

https://nvd.nist.gov/vuln/detail/CVE-2022-37620

[rquadling]

Thank you for reporting this. Just looking at it now.

[pnesarajah]

Cheers 🍻

[rquadling]

Unfortunately, html-minifier has not fixed the issue with the last version 4.0.0 being in April 2019

I think the mitigating factor here is that the content that causes the issue is user supplied rather than being supplied by the dependency or this package. Not a great mitigating factor, I completely agree.

But until this is fixed upstream, I'm not sure what options are available.

[rquadling]

FYI: kangax/html-minifier#1135 has been open for some time now.

[rquadling]

I have made a comment (kangax/html-minifier#1135 (comment)).

[pnesarajah]

Ahh right, thanks for checking. I thought a newer version was released but the one I saw was just forked and fixed ;)

Feel free to close this issue iif not needed 🙂

[rquadling]

@pnesarajah If I made a fork and put my changes in, do you know how to get Snyk to check it and see if the issue is still present? If that's doable, then hopefully fixing this in the main package should be easier. The regexs I've put forward all work as expected in Regex101, but I don't have an example where the catastrophic backtrack takes place.

[pnesarajah]

I think you can use this tool - you can either put in snippets of code (to verify your fix) or upload larger libraries:
https://snyk.io/code-checker/

My org uses tools such as sonar and blackduck so thats what I go for, but the above might help too

[rquadling]

Thanks for that. I'm closing this ticket but will be watching what happens with html-minifier.