Version 4.6.0 breaks istanbul (code coverage) html reporter

[SimenB]

See e.g. jestjs/jest#9388. Installing handlebars@4.5.3 into the reproduction provided there fixes the report.

Note that the latest version of istanbul-reports no longer uses handlebars, but e.g. the version currently shipped with Jest does use it. Source code here: https://github.com/istanbuljs/istanbuljs/tree/istanbul-reports%402.2.5/packages/istanbul-reports/lib/html

[ymoreiratiti]

Same here. Install 4.5.3 and work fine!

[matthaywardwebdesign]

@SimenB This will be due to the removal of the ability to use prototype methods.I imagine that is what Istanbul uses (or used to use).

See the release notes:
"Access to prototype properties is forbidden completely by default, specific properties or methods can be allow via runtime-options. See #1633 for details."

[nknapp]

See #1633 and #1635 for details and explanations

[SimenB]

@coreyfarrell @bcoe thoughts on releasing a patch version of istanbul-reports@2 that removes Istanbul (cherry picking the change that went into v3)? Or update the templates to work with handlebars@4.6?

[nknapp]

I'll try to release #1635 today

[nknapp]

@SimenB is #1635 a feasible solution for you?

[coreyfarrell]

Since a patch will be needed for istanbul-reports@2.x to work again my plan is to back-port the handlebars removal patch and do a special release of that.

I would lean towards saying that #1635 should not be rushed on our behalf since I'm unlikely to make a release to use the added options (#1635 alone will not fix istanbul-reports@2.2.5).

[nknapp]

It is not only because of Istanbul. Typedoc and others need it too.

But its good to know you have another plan.

I'm sorry for the hassle this caused. The security issues are certainly not that relevant for your project. But they are for others. It wasn't an easy decision to break the behaviour in a minor bump, but I still think it is better to break builds than to have insecure servers with known exploits

[nknapp]

Can we close this issue again?

[nknapp]

@SimenB it would be interesting to know how you are replacing handlebars. Custom implementation, different framework? Just interested

[SimenB]

I don't maintain istanbul, but you can see this commit which replaces it with string templates and an escaper: istanbuljs/istanbuljs@23a56ed. The templates are relatively simple without using advanced handlebars features, so it seems straightforward

Can we close this issue again?

I'm fine with closing although this won't be fixed until Istanbul has a release (hopefully soonish 🙂)

[SimenB]

New version of istanbul-reports published, so this is solved from my perspective.