Dependency-cruiser: npm audit vulnerability because of handlebars > optimist > minimist
dependency-cruiser 8.0.2 depends on [email protected] which depends on optimist@^0.6.1 which depends on a vulnerable version of [email protected].*.
Currently there is no new handlebars version available that does not produce vulnerability errors, but there already is an open ticket for that: https://github.com/wycats/handlebars.js/issues/1658
Once there is a new handlebars version available, please update the dependency on handlebars in dependency cruiser. Or, maybe even better, change the dependency right away to a semantic version range like ^4.7.3.
fabb
All 3 comments
I'm acutely aware and am following wycats/handlebars.js#1658 with interest. Might be some time it gets merged, though - the maintainer currently has more pressing things to attend to - as might I, f.tm. ...
B.t.w. on runtime dependency-cruiser does not use handlebars' cli, so strictly speaking it's a false positive (as it is for most installations using handlebars, I guess).
I have a strict policy to not trust semantic version ranges of third party packages beyond what
I can run on a ci. As in normal circumstances dependency-cruiser gets updated every one
or two weeks (which includes updates to external dependencies) and faster in case of
security issues this should be good enough to go.
sverweij
on 27 Mar 2020
@fabb - I saw you helped out handlebars with a bunch of unit tests so they could move on to yargs -> thanks!!! 馃檹 .
I'll release an updated dependency-cruiser tonight!
sverweij
on 2 Apr 2020
published as 8.1.1
sverweij
on 2 Apr 2020
Related issues
Ivanca
路
4Comments
heurtemattes
路
10Comments
jomi-se
路
14Comments
atav32
路
5Comments
felixjung
路
9Comments
Most helpful comment
@fabb - I saw you helped out handlebars with a bunch of unit tests so they could move on to yargs -> thanks!!! 馃檹 .
I'll release an updated dependency-cruiser tonight!