search

handlebars-lang / handlebars.js

Minimal templating on steroids.
http://handlebarsjs.com
MIT License
17.82k stars 2.04k forks source link

Medium severity security issue on uglify-js dependency #1904

Closed isatria closed 1 year ago

isatria commented 1 year ago

Before filing issues, please check the following points first:

I tried reporting the issue on the link above, but the link is broken.

According to twistlock, there is a medium security issue (PRISMA-2021-0169) that needs to be addressed here that affected the uglify-js (before v3.14.3) dependency.

Is there any plan on fixing this?

jaylinski commented 1 year ago

Thanks for letting us know! We already allow every version of uglify-js v3 in the latest handlebars release, including the patched uglify-js version:

"uglify-js": "^3.1.4"

Related to #1882, https://github.com/handlebars-lang/handlebars.js/issues/1845, https://github.com/handlebars-lang/handlebars.js/pull/1879, https://github.com/handlebars-lang/handlebars.js/pull/1877 and https://github.com/handlebars-lang/handlebars.js/pull/1841#issuecomment-1074883027.

Vulnerability: https://security.snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251