iot/mqtt_example reports high severity vulnerability - handlebars

[nkolban]

I'm following the recipe for installing the IoT mqtt_example. When I run npm install a high severity vulnerability is reported. Performing npm audit upon it, reports:

                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.0.14 <4.1.0 || >=4.1.2                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @google-cloud/nodejs-repo-tools [dev]                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @google-cloud/nodejs-repo-tools > nyc > istanbul-reports >   │
│               │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/755                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 5646 scanned packages
  1 vulnerability requires manual review. See the full report for details.

[fhinkel]

cc @gguuss

[gguuss]

@hongalex Can we remove the nodejs-repo-tools?

[gguuss]

Looks like we'll need to update the dependencies within nodejs-repo-tools.

[hongalex]

nodejs-repo-tools got patched with a newer version of nyc. Once that hits npm, I'll make a PR and close this issue.

In addition, we're also slowly moving NodeJS tests off of using nodejs-repo-tools since we're mostly using it to spawn child processes which we can do with the child_process library.