search

posthtml / htmlnano

Modular HTML minifier, built on top of the PostHTML
https://htmlnano.netlify.app
MIT License
253 stars 29 forks source link

Is it possible to remove the vulnerabilities introduced by postcss ? #149

Closed vincentsum777 closed 3 years ago

vincentsum777 commented 3 years ago

Hi, @maltsev @SukkaW,

Issue Description

I noticed that htmlnano@0.2.9 transitively depends on postcss@7.0.32. However, vulnerability CVE-2021-23382 and CVE-2021-23368 are detected in package postcss@7.0.32.
As far as I aware, htmlnano@0.2.9 is so popular that a large number of projects depend on it (77,359 downloads per week and about 1,285 downstream projects, e.g., parcel-bundler 1.12.5, @parcel/optimizer-htmlnano 2.0.0-alpha.3, @contentful/contentful-extension-scripts 0.20.7, piral-cli-parcel 0.13.2, @todesktop/cli 0.27.0, etc.). In this case, vulnerability CVE-2021-23382 and CVE-2021-23368 can be propagated into these downstream projects and expose security threats to them. As you can see, htmlnano@0.2.9 is introduced into the above projects via the following package dependency paths: (1)vibranium-cli@0.0.3-7 ➔ vibranium-report-ui@0.0.6 ➔ parcel@1.12.4 ➔ htmlnano@0.2.9 ➔ purgecss@2.3.0 ➔ postcss@7.0.32 ......

I know that it’s kind of you to have removed the vulnerability since htmlnano@1.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade htmlnano from version 0.2.9 to (>=1.0.0): The projects such as vibranium-report-ui, which introduced htmlnano@0.2.9, are not maintained anymore. These unmaintained packages can neither upgrade htmlnano nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package htmlnano@0.2.9?

Suggested Solution

Since these inactive projects set a version constaint 0.2.* for htmlnano on the above vulnerable dependency paths, if htmlnano removes the vulnerability from 0.2.9 and releases a new patched version htmlnano@0.2.10, such a vulnerability patch can be automatically propagated into the downstream projects.

In htmlnano@0.2.10, you can kindly to perform the following upgrade: purgecss ^2.3.0 ➔ ^3.1.0;
Note: purgecss@3.1.0(>=3.1.0) directly depends on postcss@8.3.6 which has fixed the vulnerabilities (CVE-2021-23382 and CVE-2021-23368) Of course, if you have other ways to resolve the issue, please share with me.^_^

Thank you for your help.

maltsev commented 3 years ago

In general, I like your solution and this is something we can do.

But we can't use purgecss@3 in htmlnano@0.2.* because of the breaking changes in the 3rd version. That was actually the reason we released htmlnano@1.0.0. You can read more about that in https://github.com/posthtml/htmlnano/issues/109

Do you have any other ideas on how this can be solved?

vincentsum777 commented 3 years ago

@maltsev Thanks for your feedback and explanation.

maltsev commented 3 years ago

I'll close this issue for now as I don't see a good solution to the problem. Feel free to re-open it.