Update html-to-text to fix uncontrolled memory consumption #13
+1,793
−803
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sseide
changed the title
|
Published as v3.2.0 |
|
Many thanks for the fast response. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Current version of prod dependency
html-to-texthas a problem rendering specially crafted html templates leading to a memory exhaustion on the server running this code. A fix (with high memory limits to stop this kind of attack) and options to better control this behaviour for untrusted content was applied tohtml-to-text@6.0.0This PR updates the
html-to-textlibrary to the latest 7.x release.When using
optionspassed tohtml-to-textthey must be re-evaluated with thehtml-to-textdocumentation as release 6.x changed some of them. Update instructions can be found on the github page https://github.com/html-to-text/node-html-to-textNote: This update needs at least NodeJS 10.23, older node releases are not supported by
html-to-text. But Node 8.x and older is End-of-life for some time by now and everyone should have updated, therefore not a problem.Together with this prod dependency i updated dev dependencies
mochaandgruntfixing multiple security warnings within their own dependencies and fixed the deprecated usage ofnew Buffer()within the test cases.All tests are green and within our own apps the updated version works too without any problems, only options needed to be adapted.
More information about the problem can be found here: https://app.snyk.io/vuln/SNYK-JS-HTMLTOTEXT-571464 and html-to-text/node-html-to-text#172
Please release a new version to NPM afterwards. As these fix contains breaking changes (minimum NodeJS and option handling) a major version update may be recommended.
Thanks,
Stefan Seide