[labs/rollup-plugin-minify-html-literals] Replace unmaintained html-minifier with html-minifier-next #5099
Conversation
🦋 Changeset detectedLatest commit: 443137f The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
We're going to have to take a look at this one, because I'm pretty wary of changing npm dependencies these days. I'm personally not so worried about a ReDoS vulnerability being reported in html-minifier since the minifier is typically run on a developers own inputs. The minifier would have to be run on untrusted inputs for this to be a problem, which is conceivable (a hosted minifier, I suppose?) but probably very rare. A few notes on
|
|
@justinfagnani FWIW, the GitHub for the original project suggests moving to Re: the ReDoS vuln, I agree with you to an extent about the severity of the vulnerability, however the challenge for any company using Dependabot or other comparable vuln scanners is that CVE-2022-37620 will show as a high severity vuln, and that will cause a lot of headaches (e.g. as part of the process of being marked as a false positive, having to switch to a different library that doesn't bring in CVE-2022-37620, audit / compliance issues, etc.). Some companies even have a "proxy" that sits between internal systems and the NPM registry to block the download of any packages that include critical or high vulns. I would also make the case that depending on an unmaintained package (e.g. the current |
|
Thanks for the additional info @aaronmaxlevy! |
|
No problem! Thank you for your help with this :) |
This also fixes CVE-2022-37620 :)