Open axago opened 4 years ago
spacejack
commented
4 years ago One workaround is to explicity add the current version of handlbars as a dependency to your package.json:
"dependencies": {
...
"express-handlebars": "^3.1.0",
"handlebars": "^4.4.2",
...
},NPM will no longer show the warning.
jfoclpf
commented
4 years ago same here
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-handlebars > handlebars > optimist > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
UziTech
commented
4 years ago I have finally gotten around to moving this repo to https://github.com/express-handlebars/express-handlebars/ any new development will be done on that repo.
jfoclpf
commented
4 years ago @UziTech what about the npm package? Does it point to the new repo, such that npm update does update this dependency? Thanks
UziTech
commented
4 years ago yes the npm package should point to the correct repo since v4.0.0
jfoclpf
commented
4 years ago Thanks a lot @UziTech , nonetheless it seems the error persist cause handlebars has not yet been updated to remove the vulnerability of its dependencies
npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-handlebars > handlebars > optimist > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
$ npm list handlebars express-handlebars optimist minimist
delp.pt@1.0.26 /home/joao/delp.pt
├─┬ express-handlebars@4.0.0
│ └─┬ handlebars@4.7.3
│ └─┬ optimist@0.6.1
│ └── minimist@0.0.10 @UziTech I realized on your dependency of handlebars on your new repo that you have a fixed version dependency.
"handlebars": "^4.7.3",
Maybe it's recommendable to have "4.7.x" or even "4.x" since according to instructions should be always backward compatible
"Versions of handlebars prior to are vulnerable to Prototype Pollution leading to Remote Code Execution"
Remediation Upgrade to version 4.3.0 or later.