You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
express-hbs is currently using version 4.1.2 of Handlebars, which npm audit complains is vulnerable to a prototype pollution attack. Update to Handlebars >=4.3.0 to fix this issue.
Example npm audit from my project:
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.3.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-hbs │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-hbs > handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1164 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 54307 scanned packages
1 vulnerability requires manual review. See the full report for details.
The text was updated successfully, but these errors were encountered:
g-marconet
changed the title
Update handlebars to a version that has no known vulnerabilitieshandlebars version is vulnerable
Sep 25, 2019
According to https://www.npmjs.com/advisories/1164/versions, version 4.1.2-0 is unaffected. I assume the API is quite similar to 4.1.2, so would switching to version 4.1.2-0 be an easy fix?
According to https://www.npmjs.com/advisories/1164/versions, version 4.1.2-0 is unaffected. I assume the API is quite similar to 4.1.2, so would switching to version 4.1.2-0 be an easy fix?
express-hbs
is currently using version4.1.2
of Handlebars, whichnpm audit
complains is vulnerable to a prototype pollution attack. Update to Handlebars>=4.3.0
to fix this issue.Example
npm audit
from my project:The text was updated successfully, but these errors were encountered: