Recently doing npm audit I have found this critical vulnerabilities in dependencies liketar, handlebars, uglify-js, etc. that has been patched already for release stated below. Could you please bump those packages to versions below?
Thank you!
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Symlink Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 973f04893cc6187d000700eeee953c325c0f7fd575e35e3aad013cb9a78… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ 973f04893cc6187d000700eeee953c325c0f7fd575e35e3aad013cb9a78… │
│ │ > node-svm > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/57
for handlebars
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 973f04893cc6187d000700eeee953c325c0f7fd575e35e3aad013cb9a78… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ 973f04893cc6187d000700eeee953c325c0f7fd575e35e3aad013cb9a78… │
│ │ > node-svm > handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/61
and uglify-js
│ Low │ Incorrect Handling of Non-Boolean Comparisons During │
│ │ Minification │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 2.4.24 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 973f04893cc6187d000700eeee953c325c0f7fd575e35e3aad013cb9a78… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ 973f04893cc6187d000700eeee953c325c0f7fd575e35e3aad013cb9a78… │
│ │ > node-svm > handlebars > uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/39
Got the same issue here.
Would be nice if all the modules could be updated because the last update was two years ago.
I've tried it and it seems to work perfectly fine!
Thanks :)
Recently doing
npm audit
I have found this critical vulnerabilities in dependencies liketar
,handlebars
,uglify-js
, etc. that has been patched already for release stated below. Could you please bump those packages to versions below?Thank you!
for
handlebars
and
uglify-js
and
inquirer>lodash