express-handlebars
express-handlebars copied to clipboard
ericf
Prototype Pollution
"Versions of handlebars prior to are vulnerable to Prototype Pollution leading to Remote Code Execution"
Remediation Upgrade to version 4.3.0 or later.
One workaround is to explicity add the current version of handlbars as a dependency to your package.json:
"dependencies": {
...
"express-handlebars": "^3.1.0",
"handlebars": "^4.4.2",
...
},
NPM will no longer show the warning.
same here
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-handlebars > handlebars > optimist > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
I have finally gotten around to moving this repo to https://github.com/express-handlebars/express-handlebars/ any new development will be done on that repo.
@UziTech what about the npm package? Does it point to the new repo, such that npm update does update this dependency? Thanks
Thanks a lot @UziTech , nonetheless it seems the error persist cause handlebars has not yet been updated to remove the vulnerability of its dependencies
npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-handlebars > handlebars > optimist > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
$ npm list handlebars express-handlebars optimist minimist
[email protected] /home/joao/delp.pt
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
https://github.com/wycats/handlebars.js/issues/1661
@UziTech I realized on your dependency of handlebars on your new repo that you have a fixed version dependency.
"handlebars": "^4.7.3",
Maybe it's recommendable to have "4.7.x" or even "4.x" since according to instructions should be always backward compatible