"The handlebars dependency defined in package-lock.json has a known moderate severity security vulnerability in version range < 4.0.0 and should be updated."

[YajJackson]

Versions

Output from: `ng --version`:
Angular CLI: 1.5.2
Node: 6.11.3
OS: win32 x64
Angular: 5.0.2
... animations, common, compiler, compiler-cli, core, forms
... http, language-service, platform-browser
... platform-browser-dynamic, router

@angular/cli: 1.5.2
@angular-devkit/build-optimizer: 0.0.33
@angular-devkit/core: 0.0.20
@angular-devkit/schematics: 0.0.36
@ngtools/json-schema: 1.1.0
@ngtools/webpack: 1.8.2
@schematics/angular: 0.1.5
typescript: 2.4.2
webpack: 3.8.1

Repro steps

Step 1: Run `ng new <ExampleName>`
Step 2: View handlebars.js version 1.3.0 dependency in package-lock.json

Observed behavior

Github flags this as a vulnerable dependency.

Desired behavior

Update handlebars.js version dependency from 1.3.0 to 4.0.11
Reduce vulnerability out of the box.

[clydin]

Dupe of #8534

[YajJackson]

@clydin I had updated @angular/cli under an hour prior to posting this, but notice a few people saying the issue was resolved.

[brunolm]

I updated @angular/cli to 1.5.2, removed node_modules, installed all again, still installed old handlebars version.

Is there an workaround for now?

[benc-uk]

CLI 1.5.2 doesn't fix it. However here has been a fix - not sure what release it will surface in, 1.5.3 perhaps

[YajJackson]

@brunolm this has been my workaround.

[tigercosmos]

@YajJackson It will only change .lock this time, and will become back in next time when npm install.
Not suggest to do that.

[brunolm]

@angular/cli 1.5.3 fixes it. https://github.com/angular/angular-cli/commits/v1.5.3

• Delete node_modules
• npm i -D @angular/cli@1.5.3
• npm i

brunolm/angular-how-to#8

[filipesilva]

Duplicate of #8521, fixed by #8535.

[commercialsuicide]

I have tried Brunolm's solution, but when I run Angular (ng serve), it fails to compile, the only logs I see:

ERROR in ./src/client/main.ts
Module build failed: [object Object]
@ multi webpack-dev-server/client?http://0.0.0.0:0 ./src/client/main.ts
ERROR in ./src/client/polyfills.ts
Module build failed: [object Object]
@ multi ./src/client/polyfills.ts

webpack: Failed to compile.

The old version of angular CLI was 1.1.0

Tried with angular CLI 1.5.3 (locally and globally)
And another try with angular CLI 1.6.0 (locally and globally)

I have also tried to follow migration guide, compared versions in package.json as described here, but with no luck, the same error.

I took a list of dependencies from migration guide, if you need some more info, just let me know.
Current versions

dependencies:

@angular: 4.3.6
core-js: 2.5.3
rxjs: 5.5.5
zone.js: 0.8.4

devDependencies:

@angular/cli: 1.6.0
@angular/compiler-cli: 4.3.6
@types/jasmine: 2.5.45
@types/node: 6.0.93
codelyzer: 3.2.2
jasmine-core: 2.8.0
jasmine-spec-reporter: 4.2.1
karma: 1.7.1
karma-chrome-launcher: 2.2.0
karma-cli: 1.0.1
karma-jasmine: 1.1.1
karma-jasmine-html-reporter: 0.2.2
karma-coverage-istanbul-reporter: 1.3.0
protractor: 5.2.1
ts-node: 3.3.0
tslint: 5.8.0
typescript: 2.6.1

[bofcarbon1]

I got these errors deploying React applications to github. Most of the issues were in the package-lock.json file. I use npm to build and run my React apps. There is a handy tool called 'npm-check'. Installing and running 'npm-check' will list outdated dependency libraries along with the npm commands to get the latest version. Its pretty cool. I updated my outdated scripts and that resolved the issue.

This post is a bit old but for those that come upon it and look for threads here you are.
Stack overflow won't let me share this until I get a 50 rep and that hasn't happened in
3 years since the new assholes took over and made it all about popularity.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}