search

CodeStitchOfficial / Intermediate-Website-Kit-LESS

The official CodeStitch Intermediate kit, featuring 11ty, Decap CMS and LESS - all set up for you! Perfect for websites of all sizes.
Creative Commons Zero v1.0 Universal
68 stars 46 forks source link

NPM Vulnerabilities #9

Open valioprea opened 2 months ago

valioprea commented 2 months ago

When I download this kit & do npm install - I get some vulnerabilities, 3 moderate and 5 high. I'm not a node dev, not sure exactly how to address them, I'd fix them myself.

jonathan-durbin commented 1 month ago

When I ran npm audit fix it resolved almost all of the issues. There's just one high priority issue left, which is @sherby/eleventy-plugin-files-minifier's dependency on html-minifier, which has a ReDoS vulnerability.

@ItsEthanH, it looks like most people are moving to html-minifier-terser from the original html-minifier, which might have been abandoned. Is the fix to simply replace the dependency in node_modules/@sherby/eleventy-plugin-files-minifier/package.json with the terser version? I'm not familiar with node's package management system, so any help is appreciated.

Edit: After poking around, it looks like

package-lock.json#L821

and

package-lock.json#L2550

might be all that needs to change. But again, as a node novice, I couldn't say for certain.