High severity issues sent from GH regarding package-lock.json

[zanodor]

I've seen these concerning ws and pug:

• ws affected by a DoS when handling a request with many HTTP headers
• Pug allows JavaScript code execution if an application accepts untrusted input

As much I've managed to garner, these issues would go away if the user adds the new versions addressing these vulnerabilites to the package-lock file.

I wonder if I'm the only one having these so I thought I'd throw this up and also wonder how much troubleshooting is necessary to keep the template going...?

Cheers

[Curiosity432]

html-minifier has high security vulneravility, and cannot install dependencies. I try to fix it with html-minifier-terser but have problems and cannot build locally.

Sames happens for me on GitHub running the workflow on GitHub actions gets an error.

 ╰─λ npm install
up to date, audited 527 packages in 1s
140 packages are looking for funding
  run `npm fund` for details

1 high severity vulnerability

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

@oleeskild you should update the dependencies of the template.

Edit: Here's the the auditory" it says "no fix available". This is literally a dependency hell.

# npm audit report

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
No fix available
node_modules/html-minifier

1 high severity vulnerability

Some issues need review, and may require choosing
a different dependency.

https://github.com/advisories/GHSA-pfq8-rq6v-vf5m - Severity high (7.5)

[Curiosity432]

Now it is fixed with the new udpate v1.61.3 https://github.com/oleeskild/digitalgarden/commit/693a35f864d53a225cda3b4210a8c76a9fbf95f7

Thank you very much @oleeskild. Now is working perfectly and there are 0 vulnerabilities detected by npm.

This issue can be closed.