-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resolve handlebars security risk #179
Conversation
Related: |
@@ -195,7 +195,7 @@ test('syntax error', function(done) { | |||
request(app) | |||
.get('/syntax-error') | |||
.expect(500) | |||
.expect(shouldHaveFirstLineEqual('Error: ' + path.join(__dirname, 'views', 'syntax-error.hbs') + ': Parse error on line 1:')) | |||
.expect(shouldHaveFirstLineEqual('Error')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A feature of this module is to add the path if the file to the error message. Is there no way to keep this feature working in the new handlebars?
If not, can you explain what has changed in handlebars that break this (maybe even the commit in handlbars)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a choice: Keep the feature now, and keep handlebars insecure. Or drop the feature for now and revisit once we have a CVE-less release published to NPM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, but to make the decision, it would help to understand what the cause is, so we can gauge what the effort is in order to make a 4.x release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to figure out one of three paths is all (maybe there are more)
- What can we do to upgrade to latest handlebars but keep this a 4.x release so folks get it automatically with semver ranges.
- Maybe even if we can backport the fix to the 4.0.x branch of handlebars (this was done with previous patches) thus we can bump the patch version.
- Last case, document the breaking changes and migration guide and release as 5.0 and people will need to migrate to address the issue.
Those are my thoughts, at least, in order of own own preferences.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Cut a new major release now, before people get hacked.
Worry about backwards compatible features later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @martinrue your comments are not constructive and taking away my attention to actually getting a release made. If you are that concerned, the best use of the effort would likely be to actually help address the compatibility issues to get handlebars upgraded or be to get the handlebars project to make a 4.0.x release instead of hounding me.
Related: |
See #182 |
Duplicate of #178 |
This resolves #176 .
Of course,
npm audit
complains about additional security risks that should be addressed in another ticket.