Update vulnerable dependencies

[g-marconet]

There are a few PRs out for this already, but one breaks tests and another only covers upgrades to lodash.

This updates handlebars, lodash, and does its best to use non-vulnerable versions of downstream dev dependencies with npm audit fix. There are two outstanding vulnerabilities in a dependency of istanbul, but they required updating 3 major versions to fix and I do not know enough about this codebase to make that change.

Why this PR?
express-hbs version 2.1.2 pins a vulnerable version of handlebars. This causes all downstream projects to report vulnerabilities when npm audit is run.

How do I know this fixes vulnerabilities?
Run npm audit --production and observe that it "found 0 vulnerabilities".

[benbrown]

+1 for getting this merged and published to npm!

[ErisDS]

Istanbul is just for coverage. Upgrade should be safe else rip it out for now. Aware that express hbs needs love but in an insane busy period that will last one more week. Will try to get to it earlier if possible

…

On Thu, 3 Oct 2019 at 16:15, Ben Brown ***@***.***> wrote: +1 for getting this merged and published to npm! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#165>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAYZCLABP7QHJ2ECWCLSZTQMYEARANCNFSM4I35J2WQ> .

[ErisDS]

Thanks for your help! I've redone the dependency updates as more had been flagged vulnerable in the meantime. Express-hbs 2.2.0 has been published.