Maybe Replace `html-minifier` with `htmlnano` or `html-minifier-terser` due to security vulnerabilities

RoversX commented 2 weeks ago

Check List

[X] I have already read README.
[X] I have already searched existing issues.
[X] I have already searched existing pull requrests.

Feature Request

I noticed that the hexo-html-minifier project currently depends on html-minifier (version ^4.0.0), which has a high-severity security vulnerability (REDoS). Unfortunately, html-minifier is no longer actively maintained, and there is no fix available for this issue.

npm audit
# npm audit report

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
No fix available
node_modules/html-minifier
  hexo-html-minifier  *
  Depends on vulnerable versions of html-minifier
  node_modules/hexo-html-minifier

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

So maybe we should replace html-minifier with html-minifier-terser or htmlnano ? Thank you!

Additional context

No response

SukkaW commented 2 weeks ago

I used to be an active contributor of htmlnano, and I have created a PR that switch to htmlnano (https://github.com/hexojs/hexo-html-minifier/pull/93) but it was abandoned.

uiolee commented 2 weeks ago

I wish to use a name like hexo-htmlnano instead of doing it in hexo-html-minifier

tomap commented 2 weeks ago

Then it's a new repository. No need to start from this one

hexojs / hexo-html-minifier