Skip to content

feat: fix critical security vulnerabilities and update dependencies #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: fix critical security vulnerabilities and update dependencies #16

wants to merge 4 commits into from

Conversation

tyler-josh
Copy link

Summary

  • Fixed critical security vulnerabilities in build tools
  • Updated dependencies to latest secure versions
  • Maintains API compatibility and build stability

Changes

  • feat: fix critical security vulnerabilities and update dependencies

Testing

  • Build verification completed
  • No breaking changes introduced

@tyler-josh
feat: fix critical security vulnerabilities and update dependencies
cf8a5f0 
BREAKING CHANGE: The minifyHtml function is now async and returns Promise<string>

Security fixes:
- Replace [email protected] with [email protected] (fixes GHSA-pfq8-rq6v-vf5m REDoS vulnerability)
- Replace [email protected] with secure custom template implementation (fixes GHSA-35jh-r3h4-6jhm command injection)
- Fix @octokit dependency vulnerabilities via npm overrides
- Update brace-expansion to fix ReDoS vulnerability

Breaking changes:
- html.minifyHtml() now returns Promise<string> instead of string
- Must await minifyHtml() function calls
- Custom template implementation replaces lodash.template (same API, safer execution)

Migration: Update minifyHtml usage from sync to async:
  Before: const result = minifyHtml(html, options);
  After:  const result = await minifyHtml(html, options);

Version bump: 3.1.1 → 3.2.0
@tyler-josh tyler-josh requested a review from a team as a code owner July 20, 2025 15:21
DRiFTy17
DRiFTy17 reviewed Jul 22, 2025
View reviewed changes
CHANGELOG.md
@@ -1,3 +1,4 @@

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it'll mess with the changelog generator, but might as well just remove the unrelated line change here

@DRiFTy17 DRiFTy17 added the major Increment the major version when merged label Jul 22, 2025
@tyler-josh
fix: remove templateOptions parameter and revert CLAUDE.md gitignore …
f2b4c17 
…changes

- Remove unused templateOptions parameter from templateFile and installFiles functions
- Revert .gitignore changes to allow team to add official CLAUDE.md guidance
- Clean up function signatures to match actual usage patterns
@DRiFTy17 DRiFTy17 added the skip-release Preserve the current version when merged label Jul 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DRiFTy17 DRiFTy17 DRiFTy17 approved these changes

Assignees
No one assigned
Labels
major Increment the major version when merged skip-release Preserve the current version when merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tyler-josh @DRiFTy17