npm audit security issue with handlebars 4.0.x

[cholz]

NPM Packages built with "audit" will fail, due a handlebars security issue.
Updating the handlebars dependency to 4.3.1 should solve the issue.

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Prototype Pollution

  Package         handlebars

  Patched in      >=4.3.0

  Dependency of   hbs

  Path            hbs > handlebars

  More info       https://nodesecurity.io/advisories/1164

found 1 high severity vulnerability in 1765970 scanned packages
  1 vulnerability requires manual review. See the full report for details.

[dougwilson]

Thank you for the report. Looks like it was just published yesterday. I will look at what changes need to be done to upgrade; I seem to recall there was an incompatibility moving to the 4.1.x series I had on my backlog to resolve, but I guess I need to do that today 👍

[Naktibalda]

I hope that this issue can be fixed in a minor or patch release, bumping version number to 5.0.0 would require other libraries to update their hbs version constraint.

[dougwilson]

Yes, I agree. I would like to figure out one of three paths is all (maybe there are more)

1. What can we do to upgrade to latest handlebars but keep this a 4.x release so folks get it automatically with semver ranges.
2. Maybe even if we can backport the fix to the 4.0.x branch of handlebars (this was done with previous patches) thus we can bump the patch version.
3. Last case, document the breaking changes and migration guide and release as 5.0 and people will need to migrate to address the issue.

Those are my thoughts, at least, in order of own own preferences.

[dougwilson]

I have traced through the one test failure and created a bug in the handlebars project for it: handlebars-lang/handlebars.js#1562

Our test suite is not really great at coverage, so I am just going through all the changes between the 4.0.14 handlebars and 4.3.1 currently. Even though I filed the bug above, I believe I found a work-around, so it won't end up as a blocker thankfully.

[dougwilson]

Just a heads-up for those looking here, there is yet another security issue handlebars is working to fix: handlebars-lang/handlebars.js#1563 . I continue to work towards the upgrade here, which will make us ready for when that new handlebars version will drop.

[dougwilson]

A new version of this module, hbs, will be published with the updated handlebars dependency within the next 10 hours.

[dougwilson]

Ok, handlebars 4.3.3 is published now, so that will be the upgrade target. Also, AFAICT there isn't anything breaking when used through this module, so this will be a patch release for hbs.

[dougwilson]

Published as 4.0.5 with handlebars 4.3.3