michaeljauk
commented
1 year ago Is anyone willing to work on this?
Open secdevlpr26 opened 1 year ago
michaeljauk
commented
1 year ago Is anyone willing to work on this?
blv-raulcatalan
commented
1 year ago Any update on this?
rquadling
commented
1 year ago One of the lines referred to be the CVE has the following regex \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+)?x)$
Would changing it to \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+|)x)$ be enough?
\s+([1-9][0-9]*w|[0-9]+(?=(\.[0-9]+|))\2x)$ is another way that should stop the backtracking (based this upon https://snyk.io/blog/redos-and-catastrophic-backtracking/.
timbomckay
commented
1 year ago I stumbled upon a fork of this maintained by terser: https://www.npmjs.com/package/html-minifier-terser
Probably the way to go.
littleblack111
commented
4 months ago any updates?
timbomckay
commented
4 months ago any updates?
@littleblack111 as mentioned above, along with the slew of references to others switching, html-minifier-terser is probably the best solution. Aside from some repo adjustments this solution appears to be fairly abandoned, especially since the package hasn't been updated in 5 years, while html-minified-terser is maintained by Terser.
rquadling
commented
4 months ago Now I've just got to remember what project I'm involved in that has this one as an issue!
Hessah95
commented
4 months ago any update on this issue?
timbomckay
commented
4 months ago any update on this issue?
@Hessah95 The comments in this thread point to another solution that's maintained.
ra-dave
commented
8 hours ago html-minifier-terser latest version (7.2.0) still has the vulnerability? I just installed it and it says so.
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js. The ReDoS vulnerability can be mitigated with several best practices described here: [https://snyk.io/blog/redos-and-catastrophic-backtracking/]