tl;dr: Premail is designed to run on your machine, with your code. If you are reporting a security vulnerability because of an npm warning, GitHub Dependabot warning, Snyk alert, or CVE, please make sure it's truly a vulnerability in this context.

In 2021, Dan Abramov wrote "npm audit: Broken by Design" explaining why many "vulnerabilities" reported in npm audit (which runs anytime you use npm install as well, and which GitHub's Dependabot also uses) are not really vulnerabilities. Like his example of create-react-app, Premail is designed to run on your machine, with your code (MJML, YAML and Sass).

Many vulnerabilities, especially DDoS attacks, assume as the vector of attack being able to pass malformed or voluminous code to the program. But if an attacker has access to your machine such that they can pass things to a running program, they can do a lot more than overflow buffers!

That you can write code that will break a program isn't really a vulnerability. That doesn't mean we can't improve the handling of bad code better -- if you experience Premail crashing without (helpful) error messages, you can certainly file that as a bug or feature request. But it's not a security risk.

Many folks have connected this broken reporting system to the nature of CVEs themselves; SQLite has an excellent write-up.

npm does have a couple of different proposals for addressing this in the works, and I hope they land on something soon.

In the meantime, if you are thinking of filing an issue about a security warning you see in your console or in your GitHub repo about a "vulnerability" in one of Premail's dependencies, please first consider if it is in fact an actual vulnerability. Issues that are filed that report these non-vulnerabilities will be closed with a pointer to this issue.

Thanks for helping us make Premail great!