Vulnerability in the 2.0.2
Opened this issue ยท 15 comments
Hello,
I have installed the last versino of the module 2.0.2 and I have a vulnerability error :
html-minifier *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
fix available via `npm audit fix --force`
Will install @nestjs-modules/mailer@1.6.1, which is a breaking change
node_modules/html-minifier
mjml-cli <=5.0.0-alpha.0
Depends on vulnerable versions of html-minifier
Depends on vulnerable versions of mjml-core
Depends on vulnerable versions of mjml-migrate
node_modules/mjml-cli
mjml 0.0.1-future || 2.0.0-beta.3 - 5.0.0-alpha.0
Depends on vulnerable versions of mjml-cli
Depends on vulnerable versions of mjml-core
Depends on vulnerable versions of mjml-migrate
Depends on vulnerable versions of mjml-preset-core
node_modules/mjml
@nestjs-modules/mailer >=1.7.0
Depends on vulnerable versions of mjml
node_modules/@nestjs-modules/mailer
Thanks by advance for your support.
I also have the same error, I'm waiting for that vulnerability to be patched
Waiting for a fix too.
Just realised that this is not a nestjs/mailer issue but instead comes from html-minifier via mjml. I am looking into how I can help since not many have been willing to work on it.
I haven't properly tested this yet, but there is an alpha version of mjml that doesn't use html-minifer. As a workaround, you can replace the version mailer uses in package.json overrides:
{
"name": "myproject",
"version": "0.0.0",
"scripts": ...
"dependencies": ...
"overrides": {
"@nestjs-modules/mailer": {
"mjml": "^5.0.0-alpha.4"
}
}
}
By doing this I got rid of all vulnerabilities.
I haven't properly tested this yet, but there is an alpha version of mjml that doesn't use html-minifer. As a workaround, you can replace the version mailer uses in package.json overrides:
{ "name": "myproject", "version": "0.0.0", "scripts": ... "dependencies": ... "overrides": { "@nestjs-modules/mailer": { "mjml": "^5.0.0-alpha.4" } } }By doing this I got rid of all vulnerabilities.
stepanroznik
@stepanroznik Thanks for your reply, if it works now it doesn't have any vulnerability.
You just have to increase this line in the project in nest js
"overrides": { "@nestjs-modules/mailer": { "mjml": "^5.0.0-alpha.4" } }
Another module remove html-minifier as depency and use https://www.npmjs.com/package/html-minifier-terser instead.
I think is possible also for the module !
hii, ow can I solve this? what changes should I make in my project? I don't understand :(
Any update on this topic ?
@NicolasMelin @desarrollador1IR
The answer is above you just need to configure package.json , it's a quick solution
@NicolasMelin @desarrollador1IR
The answer is above you just need to configure package.json , it's a quick solution
Hi @Veloz-X, thank's for your response.
I understand your solution, but I think that it's not a good thing for 2 reasons :
- Override dependancies of dependancies in package.json can be dangerous
- Use an alpha version of a module in a production application it's not safe
What is currently blocking the update of mjml ? As far as I understand, the MJML package provides a fix in the v5 that is only an alpha.
Looking forward for a fix, as @NicolasMelin said its dangerous use an alpha package in production
Hello,
There is no planned updates on this topics ?!
Hello,
There is no planned updates on this topics ?!
Until the release of mjml v5, I think we just have to wait