-
-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
moderate severity security vulnerability on handlebars dependency #62
Comments
@rbecheras Thanks for the issue! If you're reporting a bug, please be sure to include:
|
Handlebars isn't even used directly in this lib or the tests. I don't remember why it's in here. If you'd like to remove it and see if the tests pass, I'm fine with that. |
Yes indeed it's a bit weird to have it as development dependency. I'll try to remove it and we'll see |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
The actual dependency is on
handlebars v1.3.0
.Thus handlebars should be upgraded to v4+, i.e. to the latest stable release.
NB:
v1.x −> v4.x
The text was updated successfully, but these errors were encountered: