ItsEthanH
commented
4 months ago Hello!
Had a few complaints about this one so already know the answer to this.
In short - you'll be pleased to know it's nothing to worry about! There's some vulnerability within the minifier that means RegExs can be used to DoS an application.
While that sounds scary, note that the minifier code is only being run on the server side. None of the minifier code will be used in the final site that you deploy. That's the beauty of static sites! All the running and building is done on the server, which is secure and doesn't expose any of this vulnerable code :)
I'm keeping an eye on this one to see if/when an update to the dependency is released. I'll be sure to update both kits as soon as I find out there's a patch. In the meantime, due to the low risk of exploitation, and the need for minified code (given that Netlify doesn't have optimisation any more), I don't think there's anything to do here. Will close for now.
Excuse me if I am doing this wrong, it's my first time reporting an issue in a repo: I just cloned this repo and got an npm audit report about an eleventy plugin:
"Some issues need review, and may require choosing a different dependency. html-minifier Severity: high kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m No fix available node_modules/html-minifier @sherby/eleventy-plugin-files-minifier Depends on vulnerable versions of html-minifier node_modules/@sherby/eleventy-plugin-files-minifier"
I am running node v20.11.1 and npm 10.8.1