ericelliott
commented
9 years ago I don't see any way this would make our users vulnerable, but I hate broken builds. =)
Is Hogan vulnerable?
Closed nkbt closed 9 years ago
ericelliott
commented
9 years ago I don't see any way this would make our users vulnerable, but I hate broken builds. =)
Is Hogan vulnerable?
nkbt
commented
9 years ago ericelliott
commented
9 years ago Any luck trying to swap out mustache for something that isn't breaking builds?
nkbt
commented
9 years ago I'll get down to this later today.
ericelliott
commented
9 years ago :+1:
nkbt
commented
9 years ago It is already fixed in handlebars https://github.com/wycats/handlebars.js/commit/9d4353c35cc93cbc44125efcb2c4d348cb51cf06
The new version is just not published yet.
I suggest to make audit always successfull in CircleCI checks, since it will be usually not our fault, and it actually does not break build. But it is still run, so we can see results of it.
It is my personal opinion of course and if you think otherwise - I'll revert CircleCI config
nkbt
commented
9 years ago Still runs, fails, but does not break the build
nkbt
commented
9 years ago Handlebars updated to 4.0, so the problem is fixed now.
ericelliott
commented
9 years ago I think we definitely need to make it fail the build. Our fault or not, we don't want to introduce upstream bugs into downstream users of our software.
nkbt
commented
9 years ago Done.
ericelliott
commented
9 years ago The correct fix if an upstream vendor breaks our build (in order of preference):
=)
That did not fix the build, since
handlebarsdependencies are not updated (but still good to have)