Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit: html-minifier #9962

Closed
pascalgrimaud opened this issue May 31, 2024 · 5 comments · Fixed by #10036
Closed

npm audit: html-minifier #9962

pascalgrimaud opened this issue May 31, 2024 · 5 comments · Fixed by #10036
Assignees
@murdos
Labels
area: bug 🐛 Something isn't working area: dependencies $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ generator: internal $100 https://www.jhipster.tech/bug-bounties/

Comments

@pascalgrimaud
Copy link
Member

In current version v1.9.0, there are several warnings
I don't know if we can do something.
Any idea @Gnuk ?

➜ npm audit    
# npm audit report

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
No fix available
node_modules/html-minifier
  html2pug  >=0.0.1
  Depends on vulnerable versions of html-minifier
  node_modules/html2pug
    @tikui/core  *
    Depends on vulnerable versions of html2pug
    node_modules/@tikui/core

3 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.
@pascalgrimaud pascalgrimaud added area: bug 🐛 Something isn't working generator: internal area: dependencies $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ $100 https://www.jhipster.tech/bug-bounties/ labels May 31, 2024
@pascalgrimaud
Copy link
Member Author

adding a small bounty to fix this warning

@murdos murdos self-assigned this Jun 4, 2024
@murdos
Copy link
Contributor

murdos commented Jun 4, 2024

I already investigated using an alternative library for html2pug on the tikui side, I'll finish my work and push it.

@murdos murdos mentioned this issue Jun 4, 2024
Merged
@murdos murdos mentioned this issue Jun 10, 2024
Merged
@Gnuk
Copy link
Collaborator

Gnuk commented Jun 11, 2024
edited
Loading

We released a new version of Tikui core yesterday with the alternative. Thanks @murdos for the PR.

@murdos
Copy link
Contributor

murdos commented Jul 27, 2024

@pascalgrimaud : bounty claimed: https://opencollective.com/generator-jhipster/expenses/213109

@pascalgrimaud
Copy link
Member Author

@murdos : approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@murdos murdos

Labels
area: bug 🐛 Something isn't working area: dependencies $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ generator: internal $100 https://www.jhipster.tech/bug-bounties/
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): bump tikui-core to v4.1.1 murdos/jhipster-lite
3 participants
@murdos @Gnuk @pascalgrimaud