Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in the 2.0.2 #1196

Open
NicolasMelin opened this issue Jun 7, 2024 · 13 comments
Open

Vulnerability in the 2.0.2 #1196

NicolasMelin opened this issue Jun 7, 2024 · 13 comments

Comments

@NicolasMelin
Copy link

Hello,

I have installed the last versino of the module 2.0.2 and I have a vulnerability error :

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
fix available via `npm audit fix --force`
Will install @nestjs-modules/[email protected], which is a breaking change
node_modules/html-minifier
  mjml-cli  <=5.0.0-alpha.0
  Depends on vulnerable versions of html-minifier
  Depends on vulnerable versions of mjml-core
  Depends on vulnerable versions of mjml-migrate
  node_modules/mjml-cli
    mjml  0.0.1-future || 2.0.0-beta.3 - 5.0.0-alpha.0
    Depends on vulnerable versions of mjml-cli
    Depends on vulnerable versions of mjml-core
    Depends on vulnerable versions of mjml-migrate
    Depends on vulnerable versions of mjml-preset-core
    node_modules/mjml
      @nestjs-modules/mailer  >=1.7.0
      Depends on vulnerable versions of mjml
      node_modules/@nestjs-modules/mailer

Thanks by advance for your support.

@Veloz-X
Copy link
Contributor

Veloz-X commented Jun 10, 2024

I also have the same error, I'm waiting for that vulnerability to be patched

@LeshaZ
Copy link

LeshaZ commented Jun 10, 2024

Same. Looks like it was already mentions there #1092 but nothings scince v.1.11.0.

@pi22by7
Copy link

pi22by7 commented Jun 17, 2024

Waiting for a fix too.

@pi22by7
Copy link

pi22by7 commented Jun 26, 2024

Just realised that this is not a nestjs/mailer issue but instead comes from html-minifier via mjml. I am looking into how I can help since not many have been willing to work on it.

@stepanroznik
Copy link

stepanroznik commented Jul 10, 2024

I haven't properly tested this yet, but there is an alpha version of mjml that doesn't use html-minifer. As a workaround, you can replace the version mailer uses in package.json overrides:

{
    "name": "myproject",
    "version": "0.0.0",
    "scripts": ...
    "dependencies": ...
    "overrides": {
        "@nestjs-modules/mailer": {
            "mjml": "^5.0.0-alpha.4"
        }
    }
}

By doing this I got rid of all vulnerabilities.

@Veloz-X
Copy link
Contributor

Veloz-X commented Jul 10, 2024

I haven't properly tested this yet, but there is an alpha version of mjml that doesn't use html-minifer. As a workaround, you can replace the version mailer uses in package.json overrides:

{
    "name": "myproject",
    "version": "0.0.0",
    "scripts": ...
    "dependencies": ...
    "overrides": {
        "@nestjs-modules/mailer": {
            "mjml": "^5.0.0-alpha.4"
        }
    }
}

By doing this I got rid of all vulnerabilities.

stepanroznik

@stepanroznik Thanks for your reply, if it works now it doesn't have any vulnerability.
You just have to increase this line in the project in nest js
"overrides": { "@nestjs-modules/mailer": { "mjml": "^5.0.0-alpha.4" } }

@NicolasMelin
Copy link
Author

Another module remove html-minifier as depency and use https://www.npmjs.com/package/html-minifier-terser instead.
I think is possible also for the module !

RenanGalvao added a commit to ProjetoUmPorTodosTodosPorUm/api that referenced this issue Aug 5, 2024
…iler#1196

refactor: logger not saving access into log table, just logging to with logger from nestjs
RenanGalvao added a commit to ProjetoUmPorTodosTodosPorUm/api that referenced this issue Aug 5, 2024
…iler#1196

refactor: logger not saving access into log table, just logging to with logger from nestjs
@desarrollador1IR
Copy link

hii, ow can I solve this? what changes should I make in my project? I don't understand :(

@NicolasMelin
Copy link
Author

Any update on this topic ?

@Veloz-X
Copy link
Contributor

Veloz-X commented Sep 12, 2024

@NicolasMelin @desarrollador1IR

The answer is above you just need to configure package.json , it's a quick solution

@NicolasMelin
Copy link
Author

@NicolasMelin @desarrollador1IR

The answer is above you just need to configure package.json , it's a quick solution

Hi @Veloz-X, thank's for your response.

I understand your solution, but I think that it's not a good thing for 2 reasons :

  • Override dependancies of dependancies in package.json can be dangerous
  • Use an alpha version of a module in a production application it's not safe

@AlexDieRobe
Copy link

AlexDieRobe commented Oct 4, 2024

What is currently blocking the update of mjml ? As far as I understand, the MJML package provides a fix in the v5 that is only an alpha.

@Frtrillo
Copy link

Looking forward for a fix, as @NicolasMelin said its dangerous use an alpha package in production

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants