Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution.
Handlebars is being included by instanbul-middleware which is deprecated and no longer being updated. It is a code coverage tool and we only loaded it in the dev environment.
After this change
This change removes instanbul-middleware and its handlebars dependency. It also explicitly adds js-yaml to the package.json, which was missing even though we use it. Instanbul-middleware included js-yaml so it was loading it from there.
…ebars < 4.3.0
Prior to this change
Handlebars is being included by instanbul-middleware which is deprecated and no longer being updated. It is a code coverage tool and we only loaded it in the dev environment.
After this change
This change removes instanbul-middleware and its handlebars dependency. It also explicitly adds js-yaml to the package.json, which was missing even though we use it. Instanbul-middleware included js-yaml so it was loading it from there.