-
-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update vulnerable handlebars@^3.0.3 to ^4.0.12 #921
Comments
I can only spy 2 cases where there are potential compatibility issues from v3,
Would like to see this addressed in 4.2 if possible. Not a big fan of pushing out updates that depend on vulnerable dependencies if it can be helped. |
I was doing a little research on this and found that this vulnerability does not have anything to do with Handlebars at its core, but more so bad developer practices. (Not wrapping html attribute in ' or "). The issue is that Handlebars documentation claimed to be escaping content in {{ }} but did not have Also, I have updated Handlebars and did not find any noticeable issues or that anything was broken. |
This might be solved in the 3.x branch by Handlebar and their new release from June 30th ? https://github.com/wycats/handlebars.js/blob/v3.0.7/release-notes.md#v307---june-30th-2019 |
Looks like we'll have to update to 4.1.0 : handlebars-lang/handlebars.js@edc6220 |
I've did a quick test on my systems and setting the dependencies to 4.1.2 doesn't require any work. All default pages works as intended. https://github.com/wycats/handlebars.js/blob/v4.1.2/release-notes.md All "Compatibility notes" are edge cases which we don't use in default pages, which make it probably safe to include in UF 4.3 |
Handlebars
^3.0.3
is affected by https://nodesecurity.io/advisories/61 (cross-site scripting)We should update to
^4.0.12
if possible.The text was updated successfully, but these errors were encountered: