Update to Terser to Resolve ReDoS Vulnerability

[Raxvis]

The html-minifier package hasn't been updated for nearly 4 years and has a kangax/html-minifier#1135. Terser has forked the repo and is actively maintaining it under html-minifier-terser.

Can mjml get updated to use the maintained package from Terser?

[iRyusa]

We won’t using Terser package as it’s way too big. I’m still working on remove minify as a dependency and put it as optional : if you run mjml only locally you don’t really care about this security issue.On 8 Aug 2023, at 20:45, William ***@***.***> wrote: The html-minifier package hasn't been updated for nearly 4 years and has a kangax/html-minifier#1135. Terser has forked the repo and is actively maintaining it under html-minifier-terser. Can mjml get updated to use the maintained package from Terser? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Raxvis]

We have templates running on the fly as we have mustache inside of html.

Is there any help that you need with removing the minify? Would you take a PR for this?

[iRyusa]

Just don’t rely on mjml minify then you should be fine. I have an open PR on this it just need to be tested.On 8 Aug 2023, at 20:51, William ***@***.***> wrote: We have templates running on the fly as we have mustache inside of html. Is there any help that you need with removing the minify? Would you take a PR for this? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[Raxvis]

We don't minify but the package is getting scanned and that's causing issues since it's in the dependencies.

No worries, I will manually build for now and upgrade later

[tschoffelen]

This is still making bundling more complicated as well - any progress in marking as optional? I'm happy to put in a PR - any guidance on if you want to do something code wise, or just move it to optionalDeps in package.json?

Edit: I noticed there is already a similar PR for v5. Let me know if I can help with anything!

[iRyusa]

👋 @tschoffelen I think optionalDependencies are checked too by npm audit and other security check.

As we're removing both beautify + minify from the lib, the HTML output from MJML is really bad, i'm looking for a lightweight alternative to beautify-js.
I'm still working on this on my free time and miss the release date that I had in mind for last month 😢

You can find more info in #2589 You can reach me on MJML slack if you want 👍

[tschoffelen]

Thanks @iRyusa! I was indeed more thinking about the problem I'm having in bundling mjml with esbuild at the moment.

Thanks for the work you've been doing on this so far, and I understand how hard it is to find time to do this soft of stuff!