hgwood
commented
6 years ago mustache is not a direct dependency. Most if not every old package that we have in our dependency tree is under grunt 0.4. There was multiple efforts in the past to update to grunt 1.0 but it's quite hard, so that was abandoned in favor of swapping grunt for something more modern. Efforts to transition to webpack are underway.
mustache has a known CVE allowing XSS attacks (cf https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8862)
we should upgrade after 2.2.1 ; I'm not a front specialist, any risk (regression) to directly update in the package.json? cc @hgwood