Update (nested) dependencies with reported vulnerabilities

[gregswindle]

Description of changes

1. Update dmd's dependencies to use handlebars@4.0.6, which itself has updated its nested dependencies that address three reported vulnerabilities:

1.1. Quoteless Attributes in Templates can lead to Content Injection
Discovered in a nested dependency: jsdoc-to-markdown@3.0.0 --> dmd@3.0.3 --> handlebars@3.0.3

1.2. Incorrect Handling of Non-Boolean Comparisons During Minification
Discovered in a nested dependency: jsdoc-to-markdown@3.0.0 --> dmd@3.0.3 --> handlebars@3.0.3 --> uglify-js@2.3.6

1.3. Regular Expression Denial of Service
Discovered in a nested dependency: jsdoc-to-markdown@3.0.0 --> dmd@3.0.3 --> handlebars@3.0.3 --> uglify-js@2.3.6

2. Replace deprecated Buffer() with safe-buffer^5.0.1

This addresses NSP's Remote Memory Disclosure vulnerability.

3. Run standard -fix

Format two functions in total. Please see diffs below.

:information_source: walk-back is pinned, out of date on David-DM

I did not address this (but I'd be happy to investigate).

:white_check_mark: npm test status: pass

npm test passes on these Travis-CI builds:

• Node v4.8.2
  
• Node v5.12.0
  
• Node v6.10.2
  
• Node v7.9.0

:white_check_mark: Functional tests status: pass

So far I only have two sample docs generated by this fork of jsdoc2md/dmd with updated handlebars@4.0.6.

1. :book: Example API generated by jsdoc-to-markdown with forked gregswindle/dmd This API doc was generated from annotated ES6 JavaScript.

2. :book: Typescript and react API generated with jsdoc2md This sample was based on the WebPack-generated dist directory from Microsoft/TypeScriptSamples/react-flux-babel-karma.

:question: Are tests with typescript and flow needed?

I'm not sure how well (or whether) typescript and flow are supported by jsdoc2md (or jsdoc, for that matter). Regardless, I've tested very little with typescript, and I haven't tested flow at all.

Pull request (PR) check-list

1. Type of change
   • [x] Chore
   • [x] Tests
2. Code standards compliance
   • [x] Yes, standard passes (except for apparent false-negatives regarding reg-ex escape characters)
3. Code quality. Do the quality gateways pass with an "A" grade?
   • [x] Security

4. Test coverage I did not add tests/specs for coverage, since I only upgraded dependencies. npm test passes just fine, however, on Travis-CI builds for

   • Node v4.8.2
     
   • Node v5.12.0
     
   • Node v6.10.2
     
   • Node v7.9.0

[75lb]

No, jsdoc2md does not support Typescript or flow (without plugins), only Javascript.

Also, please remove use of safe-buffer - it is superfluous bloat. Security is not an issue.

[gregswindle]

@75lb , I'm looking into the pipe now. I'll also remove safe-buffer.

BTW, do you have project with test fixtures you like to use? Nevermind, found dmd/test/fixture 😳

[75lb]

i do have a testbed but it's a bit messy - i wrote some basic instructions on the readme: https://github.com/jsdoc2md/testbed

[gregswindle]

Thanks for the testbed. I'm at my day job now, but I'll resume this evening (CDT). It looks like something do with the regexs, but I haven't investigated deeply, yet.

BTW, I removed, tested, and pushed safe-buffer.

[75lb]

handlebars upgraded in the latest release of dmd (v3.0.7).