Closed TomaszG closed 7 months ago
It should be resolved in mailer version 1.11.0. If there are any other issues, please do not hesitate to let me know
@juandav, this is still valid in 1.11.2:
dependencies:
@nestjs-modules/mailer 1.11.2
└─┬ mjml 4.15.3
├─┬ mjml-cli 4.15.3
│ ├── html-minifier 4.0.0
│ └─┬ mjml-core 4.15.3
│ └── html-minifier 4.0.0
├─┬ mjml-core 4.15.3
│ └── html-minifier 4.0.0
└─┬ mjml-preset-core 4.15.3
├─┬ mjml-accordion 4.15.3
│ └─┬ mjml-core 4.15.3
│ └── html-minifier 4.0.0
├─┬ mjml-body 4.15.3
│ └─┬ mjml-core 4.15.3
│ └── html-minifier 4.0.0
├─┬ mjml-button 4.15.3
│ └─┬ mjml-core 4.15.3
│ └── html-minifier 4.0.0
├─┬ mjml-carousel 4.15.3
│ └─┬ mjml-core 4.15.3
│ └── html-minifier 4.0.0
├─┬ mjml-column 4.15.3
│ └─┬ mjml-core 4.15.3
│ └── html-minifier 4.0.0
├─┬ mjml-divider 4.15.3
│ └─┬ mjml-core 4.15.3
│ └── html-minifier 4.0.0
└─┬ mjml-group 4.15.3
└─┬ mjml-core 4.15.3
└── html-minifier 4.0.0
@juandav +1. Opened a pull request. I suggest moving the mjml into optional dependencies, since it is simply just an optional adapter
Summary ReDoS vulnerability has been found in html-minifier@4.0.0, which is a transitive dependency of the mailer package.
Details Vulnerability information: https://nvd.nist.gov/vuln/detail/CVE-2022-37620
mjml
package ticket: https://github.com/mjmlio/mjml/issues/2802html-minifier
package ticket: https://github.com/kangax/html-minifier/issues/1135Unfortunately, the latter one doesn't seem to be maintained anymore.
Dependency tree: