Closed zanodor closed 1 week ago
html-minifier has high security vulneravility, and cannot install dependencies. I try to fix it with html-minifier-terser but have problems and cannot build locally.
Sames happens for me on GitHub running the workflow on GitHub actions gets an error.
╰─λ npm install
up to date, audited 527 packages in 1s
140 packages are looking for funding
run `npm fund` for details
1 high severity vulnerability
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
@oleeskild you should update the dependencies of the template.
Edit: Here's the the auditory" it says "no fix available". This is literally a dependency hell.
# npm audit report
html-minifier *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
No fix available
node_modules/html-minifier
1 high severity vulnerability
Some issues need review, and may require choosing
a different dependency.
https://github.com/advisories/GHSA-pfq8-rq6v-vf5m - Severity high (7.5)
Now it is fixed with the new udpate v1.61.3 https://github.com/oleeskild/digitalgarden/commit/693a35f864d53a225cda3b4210a8c76a9fbf95f7
Thank you very much @oleeskild. Now is working perfectly and there are 0 vulnerabilities detected by npm.
This issue can be closed.
I've seen these concerning
ws
andpug
:As much I've managed to garner, these issues would go away if the user adds the new versions addressing these vulnerabilites to the package-lock file.
I wonder if I'm the only one having these so I thought I'd throw this up and also wonder how much troubleshooting is necessary to keep the template going...?
Cheers