Panini depends on vulnerable version of Handlebars?

[lukos]

The following vuln relates to Handlebars prior to version 4.3: https://nvd.nist.gov/vuln/detail/CVE-2019-19919, Panini depends on ^4.0.5.

If you agree that this version creates a vulnerability, please update the dependency of Handlebars to a later version.

[DanielRuf]

Panini depends on ^4.0.5.

This will automatically use the latest 4.x version. See https://semver.npmjs.com/

We are already aware of this, see https://github.com/foundation/panini/pull/197

[lukos]

Great thanks. I guess I need to npm update somewhere.