search

mixtur / webpack-spritesmith

Webpack plugin that converts set of images into a spritesheet and SASS/LESS/Stylus mixins
498 stars 56 forks source link

Security issues #89

Open Poloten opened 4 years ago

Poloten commented 4 years ago 
 High            Prototype Pollution
 Package         handlebars
 Dependency of   webpack-spritesmith [dev]
 Path            webpack-spritesmith > spritesheet-templates > handlebars
 More info       https://npmjs.com/advisories/1164

  Moderate        Denial of Service
  Package         handlebars
  Dependency of   webpack-spritesmith [dev]
  Path            webpack-spritesmith > spritesheet-templates > handlebars
  More info       https://npmjs.com/advisories/1300

  High            Arbitrary Code Execution
  Package         handlebars
  Dependency of   webpack-spritesmith [dev]
  Path            webpack-spritesmith > spritesheet-templates > handlebars
  More info       https://npmjs.com/advisories/1316

  High            Arbitrary Code Execution
  Package         handlebars
  Dependency of   webpack-spritesmith [dev]
  Path            webpack-spritesmith > spritesheet-templates > handlebars
  More info       https://npmjs.com/advisories/1324

  High            Prototype Pollution
  Package         handlebars
  Dependency of   webpack-spritesmith [dev]
  Path            webpack-spritesmith > spritesheet-templates > handlebars
  More info       https://npmjs.com/advisories/1325

Hello it's possible to create new version with fix that securities issues ? #

mixtur commented 4 years ago

npm audit fix should help. I can raise minimum required version for spritesheet-templates but it won't help too much. At least one of the security issues, is only fixed in handlebars@4.5.3, and current spritesheet-templates version (10.4.2) allows versions >= 4.4.5.

Though If you insist I will do it anyway)