moderate severity security vulnerability on handlebars dependency

[rbecheras]

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.

The actual dependency is on handlebars v1.3.0.

See the CVE ticket: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8861

Thus handlebars should be upgraded to v4+, i.e. to the latest stable release.

NB:

• The priority is low because it is a devDependency.
• The upgrade could break the CI jobs because moving over 3 major releases: v1.x −> v4.x

[assemblebot]

@rbecheras Thanks for the issue! If you're reporting a bug, please be sure to include:

• The version of assemble you are using.
• Your assemblefile.js (This can be in a gist)
• The commandline output. (Screenshot or gist is fine)
• What you expected to happen instead.

[doowb]

Handlebars isn't even used directly in this lib or the tests. I don't remember why it's in here. If you'd like to remove it and see if the tests pass, I'm fine with that.

[rbecheras]

Yes indeed it's a bit weird to have it as development dependency. I'll try to remove it and we'll see