Update handlebars 4.1.0.

[przemyslaw-glod]

Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
WS-2019-0103 (More information - handlebars-lang/handlebars.js@edc6220)
Vulnerable versions: < 4.1.0
Patched version: 4.1.0

[dougwilson]

That version range is incomplete. The fix was also ported to the 4.0.x line as the version 4.0.13.

That link is to the following commit for 4.1.0 release: handlebars-lang/handlebars.js@edc6220

Here is the same commit contents that were applied as part of the 4.0.13 release: handlebars-lang/handlebars.js@7372d4e

[dougwilson]

If it helps, this is the announcement made by the module on that particular issue, which shows the fixed versions: handlebars-lang/handlebars.js#1495

[przemyslaw-glod]

great! thanks for answering, I missed that info

[dougwilson]

Trying to consolidate the information around this: so WS-2019-0103 seems to be coming though as a GitHub security alert on repos. I contacted GitHub regarding the inaccurate version range information in the alert. They have responded back saying they are looking into it.

[dougwilson]

I've been emailing GitHub every business day and so far still no updates on the incorrect alert they have.

[jrichardsz]

July 14, 2019

Github continues with this warning!!!

[dougwilson]

Email Github about this through their contact form as well. Maybe the more people who contact them about this, they may actually fix the version range on their alert. Just email the contents of the first to comments here or a link to here.

I have sent numerous emails so far and got nothing but the automated response back.

[laserlemon]

👋 I apologize for the missed communication here! I'm on the GitHub team that's responsible for vulnerability alerting. I'm working to correct these inaccuracies here. Thank you!

[dougwilson]

Hi @jrichardsz and others, the warning should no longer be showing up on your repo.