search

nest-modules / mailer

📨 A mailer module for Nest framework (node.js)
https://nest-modules.github.io/mailer/
MIT License
826 stars 171 forks source link

Vulnerability in the 2.0.2 #1196

Open NicolasMelin opened 1 month ago

NicolasMelin commented 1 month ago

Hello,

I have installed the last versino of the module 2.0.2 and I have a vulnerability error :

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
fix available via `npm audit fix --force`
Will install @nestjs-modules/mailer@1.6.1, which is a breaking change
node_modules/html-minifier
  mjml-cli  <=5.0.0-alpha.0
  Depends on vulnerable versions of html-minifier
  Depends on vulnerable versions of mjml-core
  Depends on vulnerable versions of mjml-migrate
  node_modules/mjml-cli
    mjml  0.0.1-future || 2.0.0-beta.3 - 5.0.0-alpha.0
    Depends on vulnerable versions of mjml-cli
    Depends on vulnerable versions of mjml-core
    Depends on vulnerable versions of mjml-migrate
    Depends on vulnerable versions of mjml-preset-core
    node_modules/mjml
      @nestjs-modules/mailer  >=1.7.0
      Depends on vulnerable versions of mjml
      node_modules/@nestjs-modules/mailer

Thanks by advance for your support.

Veloz-X commented 3 weeks ago

I also have the same error, I'm waiting for that vulnerability to be patched

LeshaZ commented 3 weeks ago

Same. Looks like it was already mentions there https://github.com/nest-modules/mailer/issues/1092 but nothings scince v.1.11.0.

pi22by7 commented 2 weeks ago

Waiting for a fix too.

pi22by7 commented 1 week ago

Just realised that this is not a nestjs/mailer issue but instead comes from html-minifier via mjml. I am looking into how I can help since not many have been willing to work on it.