html-minifier-next 4.6.0 → 4.7.0

package/README.md

@@ -1,6 +1,6 @@
 # HTML Minifier Next
 
-[![npm version](https://img.shields.io/npm/v/html-minifier-next.svg)](https://www.npmjs.com/package/html-minifier-next) [![Build status](https://github.com/j9t/html-minifier-next/workflows/Tests/badge.svg)](https://github.com/j9t/html-minifier-next/actions)
+[![npm version](https://img.shields.io/npm/v/html-minifier-next.svg)](https://www.npmjs.com/package/html-minifier-next) [![Build status](https://github.com/j9t/html-minifier-next/workflows/Tests/badge.svg)](https://github.com/j9t/html-minifier-next/actions) [![Socket](https://badge.socket.dev/npm/package/html-minifier-next)](https://socket.dev/npm/package/html-minifier-next)
 
 HTML Minifier Next (HMN) is a highly **configurable, well-tested, JavaScript-based HTML minifier**.
 
@@ -146,7 +146,7 @@ Options can be used in config files (camelCase) or via CLI flags (kebab-case wit
 | `customEventAttributes`<br>`--custom-event-attributes` | Arrays of regexes that allow to support custom event attributes for `minifyJS` (e.g., `ng-click`) | `[ /^on[a-z]{3,}$/ ]` |
 | `customFragmentQuantifierLimit`<br>`--custom-fragment-quantifier-limit` | Set maximum quantifier limit for custom fragments to prevent ReDoS attacks | `200` |
 | `decodeEntities`<br>`--decode-entities` | Use direct Unicode characters whenever possible | `false` |
-| `html5`<br>`--no-html5` | Parse input according to the HTML specification; when `false`, uses a more lenient parser | `true` |
+| `html5`<br>`--no-html5` | Parse input according to the HTML specification; when `false`, enforces legacy inline/block nesting rules that may restructure modern HTML | `true` |
 | `ignoreCustomComments`<br>`--ignore-custom-comments` | Array of regexes that allow to ignore certain comments, when matched | `[ /^!/, /^\s*#/ ]` |
 | `ignoreCustomFragments`<br>`--ignore-custom-fragments` | Array of regexes that allow to ignore certain fragments, when matched (e.g., `<?php … ?>`, `{{ … }}`, etc.) | `[ /<%[\s\S]*?%>/, /<\?[\s\S]*?\?>/ ]` |
 | `includeAutoGeneratedTags`<br>`--no-include-auto-generated-tags` | Insert elements generated by HTML parser; when `false`, omits auto-generated tags | `true` |
@@ -223,29 +223,32 @@ const result = await minify(html, {
 
 ## Minification comparison
 
-How does HTML Minifier Next compare to other solutions, like [minimize](https://github.com/Swaagie/minimize), [htmlcompressor.com](http://htmlcompressor.com/), [htmlnano](https://github.com/posthtml/htmlnano), and [minify-html](https://github.com/wilsonzlin/minify-html)? (All with the most aggressive settings, though without [hyper-optimization](https://meiert.com/blog/the-ways-of-writing-html/#toc-hyper-optimized).)
-
-| Site | Original Size (KB) | HTML Minifier Next | minimize | html­compressor.com | htmlnano | minify-html |
-| --- | --- | --- | --- | --- | --- | --- |
-| [A List Apart](https://alistapart.com/) | 62 | **52** | 58 | 56 | 54 | 55 |
-| [Amazon](https://www.amazon.com/) | 822 | **735** | 806 | n/a | n/a | n/a |
-| [Apple](https://www.apple.com/) | 210 | **166** | 195 | 192 | 186 | 191 |
-| [BBC](https://www.bbc.co.uk/) | 698 | **632** | 692 | n/a | 655 | 656 |
-| [CSS-Tricks](https://css-tricks.com/) | 163 | **124** | 149 | 146 | 127 | 145 |
-| [ECMAScript](https://tc39.es/ecma262/) | 7238 | **6342** | 6615 | n/a | 6561 | 6567 |
-| [EFF](https://www.eff.org/) | 54 | **46** | 49 | 49 | 49 | 47 |
-| [FAZ](https://www.faz.net/aktuell/) | 1860 | **1737** | 1775 | n/a | n/a | 1779 |
-| [Frontend Dogma](https://frontenddogma.com/) | 218 | **209** | 235 | 216 | 230 | 217 |
-| [Google](https://www.google.com/) | 18 | **17** | 18 | 18 | **17** | n/a |
-| [Ground News](https://ground.news/) | 1827 | **1585** | 1814 | n/a | 1679 | n/a |
-| [HTML](https://html.spec.whatwg.org/multipage/) | 149 | **147** | 155 | 148 | 153 | 149 |
-| [Leanpub](https://leanpub.com/) | 1161 | **974** | 1155 | n/a | 981 | n/a |
-| [Mastodon](https://mastodon.social/explore) | 35 | **26** | 34 | 34 | 30 | 33 |
-| [MDN](https://developer.mozilla.org/en-US/) | 107 | **62** | 67 | 68 | 64 | n/a |
-| [Middle East Eye](https://www.middleeasteye.net/) | 223 | **196** | 203 | 203 | 203 | 200 |
-| [SitePoint](https://www.sitepoint.com/) | 494 | **353** | 491 | n/a | 429 | 474 |
-| [United Nations](https://www.un.org/en/) | 152 | **113** | 131 | 124 | 122 | 126 |
-| [W3C](https://www.w3.org/) | 50 | **36** | 41 | 39 | 39 | 39 |
+How does HTML Minifier Next compare to other minifiers, like [HTML Minifier Terser](https://github.com/terser/html-minifier-terser), [htmlnano](https://github.com/posthtml/htmlnano), [@swc/html](https://github.com/swc-project/swc), [minify-html](https://github.com/wilsonzlin/minify-html), [minimize](https://github.com/Swaagie/minimize), and [htmlcompressor.com](https://htmlcompressor.com/)? (All with the most aggressive settings, though without [hyper-optimization](https://meiert.com/blog/the-ways-of-writing-html/#toc-hyper-optimized). Minimize does not minify CSS or JS.)
+
+<!-- Auto-generated benchmarks, don’t edit -->
+| Site | Original Size (KB) | HTML Minifier Next | HTML Minifier Terser | htmlnano | @swc/html | minify-html | minimize | html­com­pressor.­com |
+| --- | --- | --- | --- | --- | --- | --- | --- | --- |
+| [A List Apart](https://alistapart.com/) | 59 | **49** | 50 | 51 | 52 | 51 | 54 | 52 |
+| [Apple](https://www.apple.com/) | 185 | **144** | **144** | 163 | 166 | 167 | 171 | 169 |
+| [BBC](https://www.bbc.co.uk/) | 712 | **646** | 656 | 668 | 669 | 670 | 706 | n/a |
+| [CSS-Tricks](https://css-tricks.com/) | 161 | 121 | **119** | 127 | 142 | 142 | 147 | 144 |
+| [ECMAScript](https://tc39.es/ecma262/) | 7237 | **6341** | **6341** | 6561 | 6444 | 6567 | 6614 | n/a |
+| [EFF](https://www.eff.org/) | 55 | **47** | **47** | 49 | 48 | 49 | 50 | 50 |
+| [FAZ](https://www.faz.net/aktuell/) | 1530 | 1425 | 1430 | **1375** | 1456 | 1467 | 1478 | n/a |
+| [Frontend Dogma](https://frontenddogma.com/) | 221 | **212** | **212** | 233 | 218 | 220 | 238 | 219 |
+| [Google](https://www.google.com/) | 18 | **17** | **17** | **17** | **17** | **17** | 18 | 18 |
+| [Ground News](https://ground.news/) | 1503 | **1287** | 1290 | 1385 | 1407 | 1413 | 1490 | n/a |
+| [HTML Living Standard](https://html.spec.whatwg.org/multipage/) | 149 | **147** | **147** | 153 | **147** | 149 | 155 | 149 |
+| [Leanpub](https://leanpub.com/) | 1723 | **1472** | **1472** | 1479 | 1478 | 1473 | 1718 | n/a |
+| [Mastodon](https://mastodon.social/explore) | 35 | **26** | **26** | 30 | 33 | 33 | 34 | 34 |
+| [MDN](https://developer.mozilla.org/en-US/) | 107 | **62** | **62** | 64 | 64 | 65 | 67 | 67 |
+| [SitePoint](https://www.sitepoint.com/) | 508 | **366** | **366** | 444 | 482 | 486 | 504 | n/a |
+| [United Nations](https://www.un.org/en/) | 153 | **114** | 116 | 123 | 127 | 126 | 132 | 125 |
+| [W3C](https://www.w3.org/) | 50 | **36** | **36** | 38 | 38 | 38 | 40 | 38 |
+| **Average processing time** |  | 388 ms (17/17) | 434 ms (17/17) | 219 ms (17/17) | 83 ms (17/17) | **21 ms (17/17)** | 455 ms (17/17) | 1348 ms (11/17) |
+
+(Last updated: Dec 6, 2025)
+<!-- End auto-generated -->
 
 ## Examples
 
@@ -386,6 +389,12 @@ ignoreCustomFragments: [/\{\{[\s\S]{0,500}?\}\}/]
 
 ## Running HTML Minifier Next
 
+### Local server
+
+```shell
+npm run serve
+```
+
 ### Benchmarks
 
 Benchmarks for minified HTML:
@@ -396,12 +405,6 @@ npm install
 npm run benchmarks
 ```
 
-### Local server
-
-```shell
-npm run serve
-```
-
 ## Acknowledgements
 
 With many thanks to all the previous authors of HTML Minifier, especially [Juriy Zaytsev](https://github.com/kangax), and to everyone who helped make this new edition better, particularly [Daniel Ruf](https://github.com/DanielRuf) and [Jonas Geiler](https://github.com/jonasgeiler).

package/cli.js

@@ -129,7 +129,7 @@ const mainOptions = {
   customAttrSurround: ['Arrays of regexes that allow to support custom attribute surround expressions (e.g., “<input {{#if value}}checked="checked"{{/if}}>”)', parseJSONRegExpArray],
   customEventAttributes: ['Arrays of regexes that allow to support custom event attributes for minifyJS (e.g., “ng-click”)', parseJSONRegExpArray],
   decodeEntities: 'Use direct Unicode characters whenever possible',
-  html5: 'Don’t parse input according to the HTML specification',
+  html5: 'Don’t parse input according to the HTML specification (not recommended for modern HTML)',
   ignoreCustomComments: ['Array of regexes that allow to ignore certain comments, when matched', parseJSONRegExpArray],
   ignoreCustomFragments: ['Array of regexes that allow to ignore certain fragments, when matched (e.g., “<?php … ?>”, “{{ … }}”)', parseJSONRegExpArray],
   includeAutoGeneratedTags: 'Don’t insert elements generated by HTML parser',

package/dist/htmlminifier.cjs

@@ -113,6 +113,9 @@ function joinSingleAttrAssigns(handler) {
   }).join('|');
 }
 
+// Number of captured parts per `customAttrSurround` pattern
+const NCP = 7;
+
 class HTMLParser {
   constructor(html, handler) {
     this.html = html;
@@ -125,7 +128,15 @@ class HTMLParser {
 
     const stack = []; let lastTag;
     const attribute = attrForHandler(handler);
-    let last, prevTag, nextTag;
+    let last, prevTag = undefined, nextTag = undefined;
+
+    // Track position for better error messages
+    let position = 0;
+    const getLineColumn = (pos) => {
+      const lines = this.html.slice(0, pos).split('\n');
+      return { line: lines.length, column: lines[lines.length - 1].length + 1 };
+    };
+
     while (html) {
       last = html;
       // Make sure we’re not in a `script` or `style` element
@@ -243,8 +254,27 @@ class HTMLParser {
       }
 
       if (html === last) {
-        throw new Error('Parse Error: ' + html);
+        if (handler.continueOnParseError) {
+          // Skip the problematic character and continue
+          if (handler.chars) {
+            await handler.chars(html[0], prevTag, '');
+          }
+          html = html.substring(1);
+          position++;
+          prevTag = '';
+          continue;
+        }
+        const loc = getLineColumn(position);
+        // Include some context before the error position so the snippet contains
+        // the offending markup plus preceding characters (e.g. "invalid<tag").
+        const CONTEXT_BEFORE = 50;
+        const startPos = Math.max(0, position - CONTEXT_BEFORE);
+        const snippet = this.html.slice(startPos, startPos + 200).replace(/\n/g, ' ');
+        throw new Error(
+          `Parse error at line ${loc.line}, column ${loc.column}:\n${snippet}${this.html.length > startPos + 200 ? '…' : ''}`
+        );
       }
+      position = this.html.length - html.length;
     }
 
     if (!handler.partialMarkup) {
@@ -261,10 +291,77 @@ class HTMLParser {
         };
         input = input.slice(start[0].length);
         let end, attr;
-        while (!(end = input.match(startTagClose)) && (attr = input.match(attribute))) {
+
+        // Safety limit: max length of input to check for attributes
+        // Protects against catastrophic backtracking on massive attribute values
+        const MAX_ATTR_PARSE_LENGTH = 20000; // 20 KB should be enough for any reasonable tag
+
+        while (true) {
+          // Check for closing tag first
+          end = input.match(startTagClose);
+          if (end) {
+            break;
+          }
+
+          // Limit the input length we pass to the regex to prevent catastrophic backtracking
+          const isLimited = input.length > MAX_ATTR_PARSE_LENGTH;
+          const searchInput = isLimited ? input.slice(0, MAX_ATTR_PARSE_LENGTH) : input;
+
+          attr = searchInput.match(attribute);
+
+          // If we limited the input and got a match, check if the value might be truncated
+          if (attr && isLimited) {
+            // Check if the attribute value extends beyond our search window
+            const attrEnd = attr[0].length;
+            // If the match ends near the limit, the value might be truncated
+            if (attrEnd > MAX_ATTR_PARSE_LENGTH - 100) {
+              // Manually extract this attribute to handle potentially huge value
+              const manualMatch = input.match(/^\s*([^\s"'<>/=]+)\s*=\s*/);
+              if (manualMatch) {
+                const quoteChar = input[manualMatch[0].length];
+                if (quoteChar === '"' || quoteChar === "'") {
+                  const closeQuote = input.indexOf(quoteChar, manualMatch[0].length + 1);
+                  if (closeQuote !== -1) {
+                    const fullAttr = input.slice(0, closeQuote + 1);
+                    const numCustomParts = handler.customAttrSurround
+                      ? handler.customAttrSurround.length * NCP
+                      : 0;
+                    const baseIndex = 1 + numCustomParts;
+
+                    attr = [];
+                    attr[0] = fullAttr;
+                    attr[baseIndex] = manualMatch[1]; // Attribute name
+                    attr[baseIndex + 1] = '='; // customAssign (falls back to “=” for huge attributes)
+                    const value = input.slice(manualMatch[0].length + 1, closeQuote);
+                    // Place value at correct index based on quote type
+                    if (quoteChar === '"') {
+                      attr[baseIndex + 2] = value; // Double-quoted value
+                    } else {
+                      attr[baseIndex + 3] = value; // Single-quoted value
+                    }
+                    input = input.slice(fullAttr.length);
+                    match.attrs.push(attr);
+                    continue;
+                  }
+                }
+                // Note: Unquoted attribute values are intentionally not handled here.
+                // Per HTML spec, unquoted values cannot contain spaces or special chars,
+                // making a 20 KB+ unquoted value practically impossible. If encountered,
+                // it’s malformed HTML and using the truncated regex match is acceptable.
+              }
+            }
+          }
+
+          if (!attr) {
+            break;
+          }
+
           input = input.slice(attr[0].length);
           match.attrs.push(attr);
         }
+
+        // Check for closing tag
+        end = input.match(startTagClose);
         if (end) {
           match.unarySlash = end[1];
           match.rest = input.slice(end[0].length);
@@ -357,7 +454,6 @@ class HTMLParser {
 
       const attrs = match.attrs.map(function (args) {
         let name, value, customOpen, customClose, customAssign, quote;
-        const ncp = 7; // Number of captured parts, scalar
 
         // Hackish workaround for FF bug https://bugzilla.mozilla.org/show_bug.cgi?id=369778
         if (IS_REGEX_CAPTURING_BROKEN && args[0].indexOf('""') === -1) {
@@ -385,7 +481,7 @@ class HTMLParser {
 
         let j = 1;
         if (handler.customAttrSurround) {
-          for (let i = 0, l = handler.customAttrSurround.length; i < l; i++, j += ncp) {
+          for (let i = 0, l = handler.customAttrSurround.length; i < l; i++, j += NCP) {
             name = args[j + 1];
             if (name) {
               quote = populate(j + 2);
@@ -608,18 +704,88 @@ function getPresetNames() {
   return Object.keys(presets);
 }
 
-const trimWhitespace = str => str && str.replace(/^[ \n\r\t\f]+/, '').replace(/[ \n\r\t\f]+$/, '');
+// Hoisted, reusable RegExp patterns and tiny helpers to avoid repeated allocations in hot paths
+const RE_WS_START = /^[ \n\r\t\f]+/;
+const RE_WS_END = /[ \n\r\t\f]+$/;
+const RE_ALL_WS_NBSP = /[ \n\r\t\f\xA0]+/g;
+const RE_NBSP_LEADING_GROUP = /(^|\xA0+)[^\xA0]+/g;
+const RE_NBSP_LEAD_GROUP = /(\xA0+)[^\xA0]+/g;
+const RE_NBSP_TRAILING_GROUP = /[^\xA0]+(\xA0+)/g;
+const RE_NBSP_TRAILING_STRIP = /[^\xA0]+$/;
+const RE_CONDITIONAL_COMMENT = /^\[if\s[^\]]+]|\[endif]$/;
+const RE_EVENT_ATTR_DEFAULT = /^on[a-z]{3,}$/;
+const RE_CAN_REMOVE_ATTR_QUOTES = /^[^ \t\n\f\r"'`=<>]+$/;
+const RE_TRAILING_SEMICOLON = /;$/;
+const RE_AMP_ENTITY = /&(#?[0-9a-zA-Z]+;)/g;
+
+// Tiny stable stringify for options signatures (sorted keys, shallow, nested objects)
+function stableStringify(obj) {
+  if (obj == null || typeof obj !== 'object') return JSON.stringify(obj);
+  if (Array.isArray(obj)) return '[' + obj.map(stableStringify).join(',') + ']';
+  const keys = Object.keys(obj).sort();
+  let out = '{';
+  for (let i = 0; i < keys.length; i++) {
+    const k = keys[i];
+    out += JSON.stringify(k) + ':' + stableStringify(obj[k]) + (i < keys.length - 1 ? ',' : '');
+  }
+  return out + '}';
+}
+
+// Minimal LRU cache for strings and promises
+class LRU {
+  constructor(limit = 200) {
+    this.limit = limit;
+    this.map = new Map();
+  }
+  get(key) {
+    const v = this.map.get(key);
+    if (v !== undefined) {
+      this.map.delete(key);
+      this.map.set(key, v);
+    }
+    return v;
+  }
+  set(key, value) {
+    if (this.map.has(key)) this.map.delete(key);
+    this.map.set(key, value);
+    if (this.map.size > this.limit) {
+      const first = this.map.keys().next().value;
+      this.map.delete(first);
+    }
+  }
+  delete(key) { this.map.delete(key); }
+}
+
+// Per-process caches
+const jsMinifyCache = new LRU(200);
+const cssMinifyCache = new LRU(200);
+
+const trimWhitespace = str => {
+  if (!str) return str;
+  // Fast path: if no whitespace at start or end, return early
+  if (!/^[ \n\r\t\f]/.test(str) && !/[ \n\r\t\f]$/.test(str)) {
+    return str;
+  }
+  return str.replace(RE_WS_START, '').replace(RE_WS_END, '');
+};
 
 function collapseWhitespaceAll(str) {
+  if (!str) return str;
+  // Fast path: if there are no common whitespace characters, return early
+  if (!/[ \n\r\t\f\xA0]/.test(str)) {
+    return str;
+  }
   // Non-breaking space is specifically handled inside the replacer function here:
-  return str && str.replace(/[ \n\r\t\f\xA0]+/g, function (spaces) {
-    return spaces === '\t' ? '\t' : spaces.replace(/(^|\xA0+)[^\xA0]+/g, '$1 ');
+  return str.replace(RE_ALL_WS_NBSP, function (spaces) {
+    return spaces === '\t' ? '\t' : spaces.replace(RE_NBSP_LEADING_GROUP, '$1 ');
   });
 }
 
 function collapseWhitespace(str, options, trimLeft, trimRight, collapseAll) {
   let lineBreakBefore = ''; let lineBreakAfter = '';
 
+  if (!str) return str;
+
   if (options.preserveLineBreaks) {
     str = str.replace(/^[ \n\r\t\f]*?[\n\r][ \n\r\t\f]*/, function () {
       lineBreakBefore = '\n';
@@ -637,7 +803,7 @@ function collapseWhitespace(str, options, trimLeft, trimRight, collapseAll) {
       if (conservative && spaces === '\t') {
         return '\t';
       }
-      return spaces.replace(/^[^\xA0]+/, '').replace(/(\xA0+)[^\xA0]+/g, '$1 ') || (conservative ? ' ' : '');
+      return spaces.replace(/^[^\xA0]+/, '').replace(RE_NBSP_LEAD_GROUP, '$1 ') || (conservative ? ' ' : '');
     });
   }
 
@@ -648,7 +814,7 @@ function collapseWhitespace(str, options, trimLeft, trimRight, collapseAll) {
       if (conservative && spaces === '\t') {
         return '\t';
       }
-      return spaces.replace(/[^\xA0]+(\xA0+)/g, ' $1').replace(/[^\xA0]+$/, '') || (conservative ? ' ' : '');
+      return spaces.replace(RE_NBSP_TRAILING_GROUP, ' $1').replace(RE_NBSP_TRAILING_STRIP, '') || (conservative ? ' ' : '');
     });
   }
 
@@ -680,7 +846,7 @@ function collapseWhitespaceSmart(str, prevTag, nextTag, options, inlineElements,
 }
 
 function isConditionalComment(text) {
-  return /^\[if\s[^\]]+]|\[endif]$/.test(text);
+  return RE_CONDITIONAL_COMMENT.test(text);
 }
 
 function isIgnoredComment(text, options) {
@@ -702,12 +868,12 @@ function isEventAttribute(attrName, options) {
     }
     return false;
   }
-  return /^on[a-z]{3,}$/.test(attrName);
+  return RE_EVENT_ATTR_DEFAULT.test(attrName);
 }
 
 function canRemoveAttributeQuotes(value) {
   // https://mathiasbynens.be/notes/unquoted-attribute-values
-  return /^[^ \t\n\f\r"'`=<>]+$/.test(value);
+  return RE_CAN_REMOVE_ATTR_QUOTES.test(value);
 }
 
 function attributesInclude(attributes, attribute) {
@@ -918,7 +1084,7 @@ async function cleanAttributeValue(tag, attrName, attrValue, options, attrs, min
   } else if (attrName === 'style') {
     attrValue = trimWhitespace(attrValue);
     if (attrValue) {
-      if (/;$/.test(attrValue) && !/&#?[0-9a-zA-Z]+;$/.test(attrValue)) {
+      if (attrValue.endsWith(';') && !/&#?[0-9a-zA-Z]+;$/.test(attrValue)) {
         attrValue = attrValue.replace(/\s*;$/, ';');
       }
       attrValue = await options.minifyCSS(attrValue, 'inline');
@@ -1237,7 +1403,10 @@ async function normalizeAttr(attr, attrs, tag, options) {
   let attrValue = attr.value;
 
   if (options.decodeEntities && attrValue) {
-    attrValue = entities.decodeHTMLStrict(attrValue);
+    // Fast path: only decode when entities are present
+    if (attrValue.indexOf('&') !== -1) {
+      attrValue = entities.decodeHTMLStrict(attrValue);
+    }
   }
 
   if ((options.removeRedundantAttributes &&
@@ -1258,8 +1427,8 @@ async function normalizeAttr(attr, attrs, tag, options) {
     return;
   }
 
-  if (options.decodeEntities && attrValue) {
-    attrValue = attrValue.replace(/&(#?[0-9a-zA-Z]+;)/g, '&amp;$1');
+  if (options.decodeEntities && attrValue && attrValue.indexOf('&') !== -1) {
+    attrValue = attrValue.replace(RE_AMP_ENTITY, '&amp;$1');
   }
 
   return {
@@ -1379,6 +1548,10 @@ const processOptions = (inputOptions) => {
       const lightningCssOptions = typeof option === 'object' ? option : {};
 
       options.minifyCSS = async function (text, type) {
+        // Fast path: nothing to minify
+        if (!text || !text.trim()) {
+          return text;
+        }
         text = await replaceAsync(
           text,
           /(url\s*\(\s*)(?:"([^"]*)"|'([^']*)'|([^\s)]+))(\s*\))/ig,
@@ -1397,10 +1570,20 @@ const processOptions = (inputOptions) => {
             }
           }
         );
-
+        // Cache key: wrapped content, type, options signature
         const inputCSS = wrapCSS(text, type);
+        const cssSig = stableStringify({ type, opts: lightningCssOptions, cont: !!options.continueOnMinifyError });
+        // For large inputs, use length and content fingerprint (first/last 50 chars) to prevent collisions
+        const cssKey = inputCSS.length > 2048
+          ? (inputCSS.length + '|' + inputCSS.slice(0, 50) + inputCSS.slice(-50) + '|' + type + '|' + cssSig)
+          : (inputCSS + '|' + type + '|' + cssSig);
 
         try {
+          const cached = cssMinifyCache.get(cssKey);
+          if (cached) {
+            return cached;
+          }
+
           const result = lightningcss.transform({
             filename: 'input.css',
             code: Buffer.from(inputCSS),
@@ -1423,12 +1606,12 @@ const processOptions = (inputOptions) => {
 
           // Preserve if output is empty and input had template syntax or UIDs
           // This catches cases where Lightning CSS removed content that should be preserved
-          if (text.trim() && !outputCSS.trim() && (looksLikeTemplate || hasUID)) {
-            return text;
-          }
+          const finalOutput = (text.trim() && !outputCSS.trim() && (looksLikeTemplate || hasUID)) ? text : outputCSS;
 
-          return outputCSS;
+          cssMinifyCache.set(cssKey, finalOutput);
+          return finalOutput;
         } catch (err) {
+          cssMinifyCache.delete(cssKey);
           if (!options.continueOnMinifyError) {
             throw err;
           }
@@ -1454,10 +1637,39 @@ const processOptions = (inputOptions) => {
 
         terserOptions.parse.bare_returns = inline;
 
+        let jsKey;
         try {
-          const result = await terser.minify(code, terserOptions);
-          return result.code.replace(/;$/, '');
+          // Fast path: avoid invoking Terser for empty/whitespace-only content
+          if (!code || !code.trim()) {
+            return '';
+          }
+          // Cache key: content, inline, options signature (subset)
+          const terserSig = stableStringify({
+            compress: terserOptions.compress,
+            mangle: terserOptions.mangle,
+            ecma: terserOptions.ecma,
+            toplevel: terserOptions.toplevel,
+            module: terserOptions.module,
+            keep_fnames: terserOptions.keep_fnames,
+            format: terserOptions.format,
+            cont: !!options.continueOnMinifyError,
+          });
+          // For large inputs, use length and content fingerprint (first/last 50 chars) to prevent collisions
+          jsKey = (code.length > 2048 ? (code.length + '|' + code.slice(0, 50) + code.slice(-50) + '|') : (code + '|')) + (inline ? '1' : '0') + '|' + terserSig;
+          const cached = jsMinifyCache.get(jsKey);
+          if (cached) {
+            return await cached;
+          }
+          const inFlight = (async () => {
+            const result = await terser.minify(code, terserOptions);
+            return result.code.replace(RE_TRAILING_SEMICOLON, '');
+          })();
+          jsMinifyCache.set(jsKey, inFlight);
+          const resolved = await inFlight;
+          jsMinifyCache.set(jsKey, resolved);
+          return resolved;
         } catch (err) {
+          if (jsKey) jsMinifyCache.delete(jsKey);
           if (!options.continueOnMinifyError) {
             throw err;
           }
@@ -1548,8 +1760,11 @@ async function createSortFns(value, options, uidIgnore, uidAttr) {
         currentTag = '';
       },
       chars: async function (text) {
+        // Only recursively scan HTML content, not JSON-LD or other non-HTML script types
+        // `scan()` is for analyzing HTML attribute order, not for parsing JSON
         if (options.processScripts && specialContentTags.has(currentTag) &&
-          options.processScripts.indexOf(currentType) > -1) {
+          options.processScripts.indexOf(currentType) > -1 &&
+          currentType === 'text/html') {
           await scan(text);
         }
       }
@@ -1562,7 +1777,8 @@ async function createSortFns(value, options, uidIgnore, uidAttr) {
   options.log = identity;
   options.sortAttributes = false;
   options.sortClassName = false;
-  await scan(await minifyHTML(value, options));
+  const firstPassOutput = await minifyHTML(value, options);
+  await scan(firstPassOutput);
   options.log = log;
   if (attrChains) {
     const attrSorters = Object.create(null);
@@ -1915,7 +2131,9 @@ async function minifyHTML(value, options, partialMarkup) {
       prevTag = prevTag === '' ? 'comment' : prevTag;
       nextTag = nextTag === '' ? 'comment' : nextTag;
       if (options.decodeEntities && text && !specialContentTags.has(currentTag)) {
-        text = entities.decodeHTML(text);
+        if (text.indexOf('&') !== -1) {
+          text = entities.decodeHTML(text);
+        }
       }
       if (options.collapseWhitespace) {
         if (!stackNoTrimWhitespace.length) {
@@ -1989,11 +2207,16 @@ async function minifyHTML(value, options, partialMarkup) {
       charsPrevTag = /^\s*$/.test(text) ? prevTag : 'comment';
       if (options.decodeEntities && text && !specialContentTags.has(currentTag)) {
         // Escape any `&` symbols that start either:
-        // 1) a legacy named character reference (i.e. one that doesn't end with `;`)
-        // 2) or any other character reference (i.e. one that does end with `;`)
+        // 1) a legacy named character reference (i.e., one that doesn’t end with `;`)
+        // 2) or any other character reference (i.e., one that does end with `;`)
         // Note that `&` can be escaped as `&amp`, without the semi-colon.
         // https://mathiasbynens.be/notes/ambiguous-ampersands
-        text = text.replace(/&((?:Iacute|aacute|uacute|plusmn|Otilde|otilde|agrave|Agrave|Yacute|yacute|Oslash|oslash|atilde|Atilde|brvbar|ccedil|Ccedil|Ograve|curren|divide|eacute|Eacute|ograve|Oacute|egrave|Egrave|Ugrave|frac12|frac14|frac34|ugrave|oacute|iacute|Ntilde|ntilde|Uacute|middot|igrave|Igrave|iquest|Aacute|cedil|laquo|micro|iexcl|Icirc|icirc|acirc|Ucirc|Ecirc|ocirc|Ocirc|ecirc|ucirc|Aring|aring|AElig|aelig|acute|pound|raquo|Acirc|times|THORN|szlig|thorn|COPY|auml|ordf|ordm|Uuml|macr|uuml|Auml|ouml|Ouml|para|nbsp|euml|quot|QUOT|Euml|yuml|cent|sect|copy|sup1|sup2|sup3|iuml|Iuml|ETH|shy|reg|not|yen|amp|AMP|REG|uml|eth|deg|gt|GT|LT|lt)(?!;)|(?:#?[0-9a-zA-Z]+;))/g, '&amp$1').replace(/</g, '&lt;');
+        if (text.indexOf('&') !== -1) {
+          text = text.replace(/&((?:Iacute|aacute|uacute|plusmn|Otilde|otilde|agrave|Agrave|Yacute|yacute|Oslash|oslash|atilde|Atilde|brvbar|ccedil|Ccedil|Ograve|curren|divide|eacute|Eacute|ograve|Oacute|egrave|Egrave|Ugrave|frac12|frac14|frac34|ugrave|oacute|iacute|Ntilde|ntilde|Uacute|middot|igrave|Igrave|iquest|Aacute|cedil|laquo|micro|iexcl|Icirc|icirc|acirc|Ucirc|Ecirc|ocirc|Ocirc|ecirc|ucirc|Aring|aring|AElig|aelig|acute|pound|raquo|Acirc|times|THORN|szlig|thorn|COPY|auml|ordf|ordm|Uuml|macr|uuml|Auml|ouml|Ouml|para|nbsp|euml|quot|QUOT|Euml|yuml|cent|sect|copy|sup1|sup2|sup3|iuml|Iuml|ETH|shy|reg|not|yen|amp|AMP|REG|uml|eth|deg|gt|GT|LT|lt)(?!;)|(?:#?[0-9a-zA-Z]+;))/g, '&amp$1');
+        }
+        if (text.indexOf('<') !== -1) {
+          text = text.replace(/</g, '&lt;');
+        }
       }
       if (uidPattern && options.collapseWhitespace && stackNoTrimWhitespace.length) {
         text = text.replace(uidPattern, function (match, prefix, index) {