Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NYC handlebars dependency warning #991

Closed
jungleBadger opened this issue Feb 14, 2019 · 3 comments
Closed

NYC handlebars dependency warning #991

jungleBadger opened this issue Feb 14, 2019 · 3 comments

Comments

@jungleBadger
Copy link

Expected Behavior

Don't depend on blacklisted versions of libraries

Observed Behavior

npm commands will raise a High warning through nsp/audit process regarding the Istanbul reports / Handlebars dependency

Forensic Information

https://www.npmjs.com/advisories/755
istanbuljs/istanbuljs#293

Operating System: the operating system you observed the issue on.
Windows 10 / OS X

  High            Prototype Pollusion                                           
                                                                                
  Package         handlebars                                                    
                                                                                
  Patched in      >=4.0.13                                                      
                                                                                
  Dependency of   nyc [dev]                                                     
                                                                                
  Path            nyc > istanbul-reports > handlebars                           
                                                                                
  More info       https://npmjs.com/advisories/755               
@Xilis
Copy link

Xilis commented Feb 14, 2019

handlebars is a dependency in istanbul-reports

An issue can be found at istanbuljs/istanbuljs#293 ,
and a pullrequest is already made and passed testing at istanbuljs/istanbuljs#294

@coreyfarrell
Copy link
Member

nyc@13.3.0 is published with the updated handlebars. The master branch of nyc already included a feature so for the moment 13.3.0 is not latest, it's next. You can install with npm i -D nyc@next. Will be a much shorter testing cycle than normally but I still need to give a bit of time to make sure the new feature doesn't create major issues.

I'm keeping this issue open until nyc is upgraded to latest on npm.

@coreyfarrell
Copy link
Member

nyc@13.3.0 is promoted to latest so this issue is now fully resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants