Closed peardox closed 4 years ago
frankhale
commented
4 years ago In the express-app I'm using hbs which depends on this vulnerable handlebars. Not sure what I can do to resolve it, I have the latest hbs package now.
Looks like hbs is aware and are tracking this: https://github.com/pillarjs/hbs/issues/185
frankhale
commented
4 years ago Thanks for the report, I've updated the dependencies in 613924f2726fe3ac089e98601efc5fd78de65f54
frankhale
commented
4 years ago There is a pull request on HBS that has been sitting for 27 days. Absolutely unbelievable. Upstream has limited any comments, issues and pull requests to collaborators which is again unbelievable.
frankhale
commented
4 years ago Just updated HBS since they pushed a new release not too recently fixing the security warnings.
npm install gives
found 6 vulnerabilities (1 moderate, 4 high, 1 critical) run
npm audit fixto fix them, ornpm auditfor detailsnpm audit gives
Critical Prototype Pollution
Package handlebars
Patched in >=4.0.14 <4.1.0 || >=4.1.2
Dependency of hbs
Path hbs > handlebars
More info https://npmjs.com/advisories/755
High Prototype Pollution
Package handlebars
Patched in >=4.3.0
Dependency of hbs
Path hbs > handlebars
More info https://npmjs.com/advisories/1164
Moderate Denial of Service
Package handlebars
Patched in >=4.4.5
Dependency of hbs
Path hbs > handlebars
More info https://npmjs.com/advisories/1300
High Arbitrary Code Execution
Package handlebars
Patched in >=4.5.2
Dependency of hbs
Path hbs > handlebars
More info https://npmjs.com/advisories/1316
High Arbitrary Code Execution
Package handlebars
Patched in >=4.5.3
Dependency of hbs
Path hbs > handlebars
More info https://npmjs.com/advisories/1324
High Prototype Pollution
Package handlebars
Patched in >=4.5.3
Dependency of hbs
Path hbs > handlebars
More info https://npmjs.com/advisories/1325
found 6 vulnerabilities (1 moderate, 4 high, 1 critical) in 203 scanned packages 6 vulnerabilities require manual review. See the full report for details. P