tileserver-gl icon indicating copy to clipboard operation
tileserver-gl copied to clipboard
verified publisher icon maptiler

Handlebars dependency marked as High security vulnerability

Open jeandat opened this issue 6 years ago • 3 comments

Handlebars npm package upon which you depend has a high security vulnerability.

Do you plan on upgrading it?

Npm audit tool recommend: >=4.0.14 <4.1.0 || >=4.1.2

jeandat avatar May 21 '19 08:05 jeandat

According to https://nvd.nist.gov/vuln/detail/CVE-2019-19919 at least version 4.3.0 is required to resolve the issue.

JJK96 avatar Jul 07 '21 13:07 JJK96

Hello Everyone, which version are you running?

TileServer-GL 3.1.1 uses handlebars v4.7.3. It was 4.7.3 even at the time of 3.0.0. It was 4.1.2 at the time of 2.6.0.

This is IMHO an old issue that should be closed: kindly ping @petrsloup.

HTH, Matteo

scara avatar Jul 07 '21 13:07 scara

Hello Everyone, which version are you running?

TileServer-GL 3.1.1 uses handlebars v4.7.3. It was 4.7.3 even at the time of 3.0.0. It was 4.1.2 at the time of 2.6.0.

This is IMHO an old issue that should be closed: kindly ping @petrsloup.

HTH, Matteo

XRAY-173070 CVE-2021-23369 CVSS2: 7.5 CVSS3: 9.8 npm://handlebars:4.7.3 The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Antonimo avatar Oct 21 '21 06:10 Antonimo