Closed nkbt closed 9 years ago
I don't see any way this would make our users vulnerable, but I hate broken builds. =)
Is Hogan vulnerable?
Any luck trying to swap out mustache for something that isn't breaking builds?
I'll get down to this later today.
:+1:
It is already fixed in handlebars https://github.com/wycats/handlebars.js/commit/9d4353c35cc93cbc44125efcb2c4d348cb51cf06
The new version is just not published yet.
I suggest to make audit
always successfull in CircleCI checks, since it will be usually not our fault, and it actually does not break build. But it is still run, so we can see results of it.
It is my personal opinion of course and if you think otherwise - I'll revert CircleCI config
Still runs, fails, but does not break the build
Handlebars updated to 4.0, so the problem is fixed now.
I think we definitely need to make it fail the build. Our fault or not, we don't want to introduce upstream bugs into downstream users of our software.
Done.
The correct fix if an upstream vendor breaks our build (in order of preference):
=)
That did not fix the build, since
handlebars
dependencies are not updated (but still good to have)