-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit security issue with handlebars 4.0.x #176
Comments
Thank you for the report. Looks like it was just published yesterday. I will look at what changes need to be done to upgrade; I seem to recall there was an incompatibility moving to the 4.1.x series I had on my backlog to resolve, but I guess I need to do that today 👍 |
I hope that this issue can be fixed in a minor or patch release, bumping version number to 5.0.0 would require other libraries to update their |
Yes, I agree. I would like to figure out one of three paths is all (maybe there are more)
Those are my thoughts, at least, in order of own own preferences. |
I have traced through the one test failure and created a bug in the handlebars project for it: handlebars-lang/handlebars.js#1562 Our test suite is not really great at coverage, so I am just going through all the changes between the 4.0.14 handlebars and 4.3.1 currently. Even though I filed the bug above, I believe I found a work-around, so it won't end up as a blocker thankfully. |
Just a heads-up for those looking here, there is yet another security issue handlebars is working to fix: handlebars-lang/handlebars.js#1563 . I continue to work towards the upgrade here, which will make us ready for when that new handlebars version will drop. |
A new version of this module, |
Ok, handlebars 4.3.3 is published now, so that will be the upgrade target. Also, AFAICT there isn't anything breaking when used through this module, so this will be a patch release for |
Published as 4.0.5 with handlebars 4.3.3 |
NPM Packages built with "audit" will fail, due a handlebars security issue.
Updating the handlebars dependency to 4.3.1 should solve the issue.
The text was updated successfully, but these errors were encountered: