search

twolfson / gulp.spritesmith

Convert a set of images into a spritesheet and CSS variables via gulp
The Unlicense
1.08k stars 81 forks source link

Security issues raised by nodesecurity.io #93

Closed ebdrup closed 8 years ago

ebdrup commented 8 years ago

Thanks for an awesome module! We love it :-)

The old version of handlebars used by gulp.spritesmith is giving us security warnings form nodesecurity.io. Would it be possible to bump to a newer version of handlebars?


Quoteless Attributes in Templates can lead to Content Injection
Module  handlebars@3.0.3
Vulnerable  <4.0.0
Patched >=4.0.0
Path    gulp.spritesmith@6.2.1 > spritesheet-templates@10.1.2 > handlebars@3.0.3

Regular Expression Denial of Service
Module  uglify-js@2.3.6
Vulnerable  <2.6.0
Patched >=2.6.0
Path    gulp.spritesmith@6.2.1 > spritesheet-templates@10.1.2 > handlebars@3.0.3 > uglify-js@2.3.6

Incorrect Handling of Non-Boolean Comparisons During Minification
Module  uglify-js@2.3.6
Vulnerable  <= 2.4.23
Patched >= 2.4.24
Path    gulp.spritesmith@6.2.1 > spritesheet-templates@10.1.2 > handlebars@3.0.3 > uglify-js@2.3.6
twolfson commented 8 years ago

Yea, I don't see any issues that would be caused by the upgrade. Would you be interested in submitting a PR to spritesheet-templates?

ebdrup commented 8 years ago

done :)

twolfson commented 8 years ago

Awesome, thanks =)

twolfson commented 8 years ago

This should be released by a patch release in spritesheet-templates. Thanks for the bug report and PR!