vitorbaptista
commented
6 years ago Adding to that, handlebars 2.0.0 requires uglify 2.3, which has a couple vulnerabilities of its own:
Closed vitorbaptista closed 5 years ago
vitorbaptista
commented
6 years ago Adding to that, handlebars 2.0.0 requires uglify 2.3, which has a couple vulnerabilities of its own:
ntwb
commented
6 years ago @FWeinb @jonathantneal @roblevintennis Any chance on getting this updated and a new release please?
roblevintennis
commented
6 years ago @vitorbaptista @ntwb I'm a contributor not a maintainer that can merge PRs (um, I don't think). The suggestion sounds sensible enough.
Since a PR was offered by @vitorbaptista, I'd recommend going ahead and pushing one up and hopefully those with merge access will take care of that. Sorry I can't be more help there.
medarob
commented
5 years ago Someone, please merge the fix :)
jonathantneal
commented
5 years ago Resolved by #142
Handlebars < 4.0.0 has a vulnerability that allows XSS when there is an attribute in a template that's not quoted (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8861).
As far as I could see, grunt-svgstore isn't vulnerable to this, but this should be an easy upgrade, and will silence GitHub complaining about a vulnerable package in my
package-lock.json.I'd be happy to submit a PR.