two handlebars security audits

[starpit]

Link to bug demonstration repository

Expected Behavior

no security audits

Observed Behavior

violations due to use of handlebars version 4.5.2 (fixed in 4.5.3)

https://npmjs.com/advisories/1324
https://npmjs.com/advisories/1325

Troubleshooting steps

• still occurring when I put cache: false in my nyc config

Environment Information

  System:
    OS: macOS Mojave 10.14.6
    CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
    Memory: 664.65 MB / 16.00 GB
  Binaries:
    Node: 12.13.0 - /usr/local/bin/node
    Yarn: 1.5.1 - /usr/local/bin/yarn
    npm: 6.12.0 - /usr/local/bin/npm
  npmPackages:
    nyc: 14.1.1 => 14.1.1 
    typescript: 3.7.2 => 3.7.2 

[coreyfarrell]

This is not a bug in nyc, we use semver ranges to install so the fixed versions are already allowed by nyc. The problem is with your yarn.lock or package-lock.json blocking the update. See istanbuljs/istanbuljs#476 for details and how resolve the lockfile error.

[starpit]

thanks, yes, we have done this. i was reporting it here so that the fix could roll through our upstream deps. thanks for the response.

[coreyfarrell]

nyc 15 actually removes handlebars entirely so it will never result in another audit report via nyc. See #1104 if you want to try that version which will become latest stable very soon (be sure to check changelogs posted as comments for breaking changes).

As far as updating the dependency chain of 14 we have to prioritize the work we do. Older versions of nyc bundled dependencies which meant that npm audit vulnerabilities were in-fact our fault. We no longer bundle so this means that nyc itself is no longer the cause of most audit reports. If the vulnerability fix were an out of range update we would likely perform a backport to update our dependency but for in-range updates I simply don't have time (and it's fixable on the user side).