sheerun
commented
2 years ago This is purposeful as newer versions of request and configstore aren't compatilble with old node versions and Bower is in maintenance mode: we don't break backward compatibility. I determined that these vulnerabilities aren't important enough to subject new breaking-release. The preferred upgrade method for someone who really cares about security is to migrate to Yarn: https://bower.io/blog/2017/how-to-migrate-away-from-bower/
There is a failed pull request open here to update the version of handlebars from 4.5.3 to 4.7.7 and requires merging as currently the 4.5.3 version of handlebars contains a critical vulnerability; https://github.com/advisories/GHSA-f2jv-r9rf-7988