Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default handlebars.js (4.0.4) contains security issues #703

Closed
gtudan opened this issue Jun 16, 2019 · 3 comments · Fixed by eclipse-ee4j/krazo#176
Closed

Default handlebars.js (4.0.4) contains security issues #703

gtudan opened this issue Jun 16, 2019 · 3 comments · Fixed by eclipse-ee4j/krazo#176

Comments

@gtudan
Copy link

gtudan commented Jun 16, 2019

The default handlebars version shipped with the plugin contains some security issues that have been fixed in upstream versions:

I don't know if this is really an issue with handlebars.java, but it causes scanners like Snyk or RetireJS to trigger if they see it in the project dependencies. I suggest to update the default file to the latest version of the 4.0.x tree (currently 4.0.14).
@gtudan gtudan mentioned this issue Jun 16, 2019
Merged
3 tasks
@pettazz
Copy link

pettazz commented Sep 11, 2019

Our project's security scanner (BlackDuck) is also getting tripped by the handlebars.js 4.0.4 that's included in the jar. Any chance we could get a new release upgrading it?

@krassib
Copy link

krassib commented Mar 4, 2020
edited

Hi Edgar,
A few months ago our security scanners also reported on handlbars.java 4.1.2 that the upstream handlebars-4.0.4.js (included in the build jar) has high severity vulnerability (prototype pollution). The suggestion is to upgrade to the latest - handlebars-4.7.3.js, which has a fix for the prototype pollution.
Can you kindly reply with your plan on fixing the issue?
Thanks,
Krassimir Boyanov

@krassib
Copy link

krassib commented Mar 4, 2020

@jknack ^^^

@Siebes Siebes mentioned this issue Apr 1, 2020
Closed
Siebes pushed a commit to Siebes/handlebars.java that referenced this issue Apr 1, 2020
@earyans
Bump Handlebars version to v4.7.3 to fix jknack#703
aa7d4b6
@Siebes Siebes mentioned this issue Apr 1, 2020
Merged
@jknack jknack closed this as completed in 71b8497 Apr 24, 2020
gtudan added a commit to gtudan/krazo that referenced this issue May 10, 2020
@gtudan
Handlebars finally fixed an upstream security issue
0254df2 
We found it in eclipse-ee4j#74, but had to wait for a fix:
jknack/handlebars.java#703
@gtudan gtudan mentioned this issue May 10, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update handlebars to fix a security issue gtudan/krazo
3 participants
@gtudan @pettazz @krassib