janbrasna
commented
10 months ago @gene1wood Instead of adding it manually you could just run npm audit to fix the version only in package-lock and keep it bumped there.
Closed gene1wood closed 10 months ago
janbrasna
commented
10 months ago @gene1wood Instead of adding it manually you could just run npm audit to fix the version only in package-lock and keep it bumped there.
gene1wood
commented
10 months ago @janbrasna sounds good to me, I'll do that, thank you.
gene1wood
commented
10 months ago @janbrasna Actually I can't seem to get npm audit fix to identify and fix the vulnerability in minimist 1.2.5 for some reason.
(There is a tangential issue that we're using browser-sync 3.0.2 which doesn't work with the newest version of browser-sync-webpack-plugin 2.3.0 because https://github.com/Va1/browser-sync-webpack-plugin/pull/96 isn't merged and released yet, but even when rolling back to browser-sync 2.29.3 npm audit doesn't call out and offer to fix the minimist issue. Fixed in #220 )
I'll just leave it like this (in an imperfect state) for the time being.
janbrasna
commented
10 months ago Gotcha. I was about to test the browsersync v2-v3 compatibility myself too;) The minimist update should be easy to lock to a specific version as dependabot tried but who knows — handlebars maintainers state that any clean npm install should pull the fixed version correctly, no idea why an audit fix doesn't resolve it.
The current version of handlebars (4.7.8) depends on minimist but specifies the vulnerable version (1.2.5).
Until handlebars 5 comes out, we need to set a minimist version manually. After it's out we can remove the dependency on minimist
https://github.com/handlebars-lang/handlebars.js/issues/1851