Critical Security Alert: html-validator 6.0.1 Contains 16 Vulnerabilities, Including a 9.9 CVSS Score

A widely used npm package for HTML validation, `html-validator`, is shipping with a severe security flaw in its dependency chain. Version 6.0.1 of the library contains 16 known vulnerabilities, with the most critical reaching a maximum CVSS severity score of 9.9. The vulnerability originates from a transitive dependency, `axios`, bundled within the package's `/scripts/node_modules/` directory. This makes the threat 'reachable,' meaning the vulnerable code path can be triggered by an application using the validator, posing a direct risk to thousands of projects that rely on it for parsing and checking HTML.

The core issue is that the `html-validator` package, despite being on its latest major version, has not updated its internal `axios` dependency to a patched version. While automated tools like Mend indicate this is currently the 'least vulnerable' package tree available, the presence of a 9.9 CVSS flaw—typically indicating critical remote code execution or severe privilege escalation risks—demands immediate scrutiny. The vulnerability report explicitly states that optional fixes may exist but are not recommended, leaving developers in a precarious position of choosing between a known-vulnerable version and potentially unstable alternatives.

This situation creates significant pressure on maintainers of downstream applications and DevOps teams. Any service using `[email protected]` for automated testing, content sanitization, or compliance checks is now exposed. The high-severity score suggests the flaw in `axios` could be exploited to compromise the host system, steal data, or disrupt services. Organizations must audit their dependency graphs immediately, as this package is a common tool in web development and CI/CD pipelines. The lack of a straightforward, recommended fix from the vulnerability scanner underscores a critical gap in the software supply chain, where even maintained packages can become vectors for severe security threats.