-
Notifications
You must be signed in to change notification settings - Fork 961
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-37620 & switch to htmlnano #2802
Comments
Might be a good alternative as its roughly the same size as html-minifier |
has anyone found a combination of htmlnano options and preset that works well everywhere? I tried
but emails are rending blank for some customers of us... |
fixed by posthtml/htmlnano#278 |
any updates on this? |
https://github.com/terser/html-minifier-terser might be another alternative. From my experience (one fairly small project, CLI usage only) the options are pretty much completely compatible, so making the move miiight be simpler than htmlnano. |
Minifier-terser is at least 4x the size of htmlnano so it’s not considered as a replacement for us.On 14 May 2024, at 20:53, Peter Law ***@***.***> wrote:
https://github.com/terser/html-minifier-terser might be another alternative. From my experience (one fairly small project, CLI usage only) the options are pretty much completely compatible, so making the move miiight be simpler than htmlnano.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
|
Forgot to mention in this thread, but MJML 5 is available in experimental
branch https://www.npmjs.com/package/mjml/v/5.0.0-alpha.4 fixing this CVE
with htmlnano + prettier as a 1-1 replacement.
I'm not entirely convinced about prettier as a replacement of js-beautify
but couldn't find a minimalistic formatter for MJML yet.
If this CVE could affect you in some way, you should go on experimental
branch for now.
… Message ID: ***@***.***>
|
The first call to mjmlto2html on the experimental branch seems to take a long time. It appears htmlnano is lazily loading a bunch of modules. The ANR stack trace I have shows htmlnano/minifyCss as the culprit, but I don't really know why since it's explicitly disabled: https://github.com/mjmlio/mjml/blob/fix/replace-html-minifier/packages/mjml-core/src/index.js#L404 For now I'm warming this call on application start until I can investigate this further. |
https://www.npmjs.com/package/html-minifier-terser |
Any updates on this? |
Hello! @iRyusa can we have any updates on this? Its been almost an year since openning now. And i dont really know where to follow if this is being acted on. |
As said earlier there’s an experimental branch with latest alpha available.On 31 Oct 2024, at 17:47, Eduardo Marques Balbo ***@***.***> wrote:
Hello! @iRyusa can we have any updates on this? Its been almost an year since openning now. And i dont really know where to follow if this is being acted on.
Thanks!
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
I see, i found it as "replace-html-minifier". |
Readme and docs are not yet up to date to reflect those changes. So for now it can’t be merged as long as the doc is still mentioning v4 and older dependencies.On 31 Oct 2024, at 20:06, Eduardo Marques Balbo ***@***.***> wrote:
I see, i found it as "replace-html-minifier".
Is there any ETA for its merging or is there some milestones that need to be achieved on the development for it to be merged?
Thanks!
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
it appears the CVE-2022-37620 won't get fixed in the
html-minify
package, not maintained anymore as it appears, see kangax/html-minifier#1135On alternative would be to switch to https://github.com/posthtml/htmlnano.
The text was updated successfully, but these errors were encountered: