Vulnerability in the 2.0.2

[NicolasMelin]

Hello,

I have installed the last versino of the module 2.0.2 and I have a vulnerability error :

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
fix available via `npm audit fix --force`
Will install @nestjs-modules/mailer@1.6.1, which is a breaking change
node_modules/html-minifier
  mjml-cli  <=5.0.0-alpha.0
  Depends on vulnerable versions of html-minifier
  Depends on vulnerable versions of mjml-core
  Depends on vulnerable versions of mjml-migrate
  node_modules/mjml-cli
    mjml  0.0.1-future || 2.0.0-beta.3 - 5.0.0-alpha.0
    Depends on vulnerable versions of mjml-cli
    Depends on vulnerable versions of mjml-core
    Depends on vulnerable versions of mjml-migrate
    Depends on vulnerable versions of mjml-preset-core
    node_modules/mjml
      @nestjs-modules/mailer  >=1.7.0
      Depends on vulnerable versions of mjml
      node_modules/@nestjs-modules/mailer

Thanks by advance for your support.

[Veloz-X]

I also have the same error, I'm waiting for that vulnerability to be patched

[LeshaZ]

Same. Looks like it was already mentions there https://github.com/nest-modules/mailer/issues/1092 but nothings scince v.1.11.0.

[pi22by7]

Waiting for a fix too.

[pi22by7]

Just realised that this is not a nestjs/mailer issue but instead comes from html-minifier via mjml. I am looking into how I can help since not many have been willing to work on it.

[stepanroznik]

I haven't properly tested this yet, but there is an alpha version of mjml that doesn't use html-minifer. As a workaround, you can replace the version mailer uses in package.json overrides:

{
    "name": "myproject",
    "version": "0.0.0",
    "scripts": ...
    "dependencies": ...
    "overrides": {
        "@nestjs-modules/mailer": {
            "mjml": "^5.0.0-alpha.4"
        }
    }
}

By doing this I got rid of all vulnerabilities.

[Veloz-X]

I haven't properly tested this yet, but there is an alpha version of mjml that doesn't use html-minifer. As a workaround, you can replace the version mailer uses in package.json overrides:

{
    "name": "myproject",
    "version": "0.0.0",
    "scripts": ...
    "dependencies": ...
    "overrides": {
        "@nestjs-modules/mailer": {
            "mjml": "^5.0.0-alpha.4"
        }
    }
}

By doing this I got rid of all vulnerabilities.

stepanroznik

@stepanroznik Thanks for your reply, if it works now it doesn't have any vulnerability. You just have to increase this line in the project in nest js "overrides": { "@nestjs-modules/mailer": { "mjml": "^5.0.0-alpha.4" } }

[NicolasMelin]

Another module remove html-minifier as depency and use https://www.npmjs.com/package/html-minifier-terser instead. I think is possible also for the module !

[desarrollador1IR]

hii, ow can I solve this? what changes should I make in my project? I don't understand :(

[NicolasMelin]

Any update on this topic ?

[Veloz-X]

@NicolasMelin @desarrollador1IR

The answer is above you just need to configure package.json , it's a quick solution

[NicolasMelin]

@NicolasMelin @desarrollador1IR

The answer is above you just need to configure package.json , it's a quick solution

Hi @Veloz-X, thank's for your response.

I understand your solution, but I think that it's not a good thing for 2 reasons :

• Override dependancies of dependancies in package.json can be dangerous
• Use an alpha version of a module in a production application it's not safe

[AlexDieRobe]

What is currently blocking the update of mjml ? As far as I understand, the MJML package provides a fix in the v5 that is only an alpha.

[Frtrillo]

Looking forward for a fix, as @NicolasMelin said its dangerous use an alpha package in production