html-minifier-next 1.0.1 → 1.1.2

package/package.json

@@ -6,36 +6,32 @@
   "bugs": "https://github.com/j9t/html-minifier-next/issues",
   "dependencies": {
     "change-case": "^4.1.2",
-    "clean-css": "~5.3.2",
-    "commander": "^13.1.0",
-    "entities": "^6.0.0",
+    "clean-css": "~5.3.3",
+    "commander": "^14.0.0",
+    "entities": "^6.0.1",
     "relateurl": "^0.2.7",
-    "terser": "^5.15.1"
+    "terser": "^5.39.2"
   },
   "description": "Highly configurable, well-tested, JavaScript-based HTML minifier.",
   "devDependencies": {
     "@commitlint/cli": "^19.8.1",
-    "@jest/globals": "^29.5.0",
+    "@jest/globals": "^30.0.0",
     "@rollup/plugin-commonjs": "^28.0.3",
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^16.0.1",
     "@rollup/plugin-terser": "^0.4.4",
-    "alpinejs": "^3.12.2",
+    "alpinejs": "^3.14.9",
     "commitlint-config-non-conventional": "^1.0.1",
-    "eslint": "^8.57.1",
-    "eslint-config-standard": "^17.1.0",
+    "eslint": "^9.29.0",
     "husky": "^9.1.7",
     "is-ci": "^4.1.0",
-    "jest": "^29.5.0",
-    "jest-environment-jsdom": "^29.5.0",
-    "lint-staged": "^16.0.0",
-    "rollup": "^3.29.5",
+    "jest": "^30.0.0",
+    "jest-environment-jsdom": "^30.0.0",
+    "lint-staged": "^16.1.0",
+    "rollup": "^4.41.1",
     "rollup-plugin-polyfill-node": "^0.13.0",
     "vite": "^6.3.5"
   },
-  "engines": {
-    "node": ">=16.0.0"
-  },
   "exports": {
     ".": {
       "import": "./src/htmlminifier.js",
@@ -81,7 +77,7 @@
     "build": "rollup -c",
     "build:docs": "vite build --base /html-minifier-next/ --outDir build",
     "deploy": "npm run build && npm run build:docs",
-    "lint": "eslint . --ignore-path .gitignore",
+    "lint": "eslint .",
     "prepare": "husky",
     "serve": "npm run build && vite",
     "test": "npm run test:node",
@@ -90,5 +86,5 @@
     "test:web": "NODE_OPTIONS='--experimental-vm-modules --no-warnings' jest --verbose --environment=jsdom"
   },
   "type": "module",
-  "version": "1.0.1"
+  "version": "1.1.2"
 }

package/src/htmlminifier.js

@@ -844,6 +844,11 @@ async function createSortFns(value, options, uidIgnore, uidAttr) {
 }
 
 async function minifyHTML(value, options, partialMarkup) {
+  // Check input length limitation to prevent ReDoS attacks
+  if (options.maxInputLength && value.length > options.maxInputLength) {
+    throw new Error(`Input length (${value.length}) exceeds maximum allowed length (${options.maxInputLength})`);
+  }
+
   if (options.collapseWhitespace) {
     value = collapseWhitespace(value, options, true, true);
   }
@@ -888,8 +893,24 @@ async function minifyHTML(value, options, partialMarkup) {
     return re.source;
   });
   if (customFragments.length) {
-    const reCustomIgnore = new RegExp('\\s*(?:' + customFragments.join('|') + ')+\\s*', 'g');
-    // temporarily replace custom ignored fragments with unique attributes
+    // Warn about potential ReDoS if custom fragments use unlimited quantifiers
+    for (let i = 0; i < customFragments.length; i++) {
+      if (/[*+]/.test(customFragments[i])) {
+        options.log('Warning: Custom fragment contains unlimited quantifiers (* or +) which may cause ReDoS vulnerability');
+        break;
+      }
+    }
+
+    // Safe approach: Use bounded quantifiers instead of unlimited ones to prevent ReDoS
+    const maxQuantifier = options.customFragmentQuantifierLimit || 200;
+    const whitespacePattern = `\\s{0,${maxQuantifier}}`;
+
+    // Use bounded quantifiers to prevent ReDoS - this approach prevents exponential backtracking
+    const reCustomIgnore = new RegExp(
+      whitespacePattern + '(?:' + customFragments.join('|') + '){1,' + maxQuantifier + '}' + whitespacePattern,
+      'g'
+    );
+    // Temporarily replace custom ignored fragments with unique attributes
     value = value.replace(reCustomIgnore, function (match) {
       if (!uidAttr) {
         uidAttr = uniqueId(value);