NPM Audit

[courtyenn]

I am running Node Version 9.9.7 and I ran npm audit. It looks like there is a Cross-Site-Scripting issue.

high Cross-Site Scripting

Package handlebars

Dependency of mochawesome-screenshots

Path mochawesome-screenshots > handlebars

https://nodesecurity.io/advisories/61

[nknapp]

That's for versions < 4.0.0. Do you need a patch release of Handlebars 3.x that fixes the issue?

[mattolson]

Yes please. I just noticed that the fix was backported to 3.x but there is no 3.0.4 release that contains it. This would be very helpful for us!

[nknapp]

I have released 3.0.4 but then had problems with the travis build, so not all places were updated.
I have (hopefully) fixed those problems and released 3.0.5 right afterwards. So 3.0.5 and 3.0.4 are essentially identical, but 3.0.5 will hopefully reach the AWS cloud some time.

At the moment SauceLabs seems to be causing timeouts.

But it's in npm and RubyGems and it might work in bower (I had to do a manual fix there, so I'm not sure it will work).

[mattolson]

Thank you @nknapp !

[mattolson]

I wonder what the process is for getting https://www.cvedetails.com/cve/CVE-2015-8861/ updated...

[mattolson]

And then after the CVE is updated, https://github.com/nodejs/security-advisories/blob/master/ecosystem/handlebars/61.json will need to be updated as well.

[nknapp]

@mattolson @courtneynguyen some people have broken builds, because of the 3.0.5 release I made.
I should have expected this, and I'm considering to revert the commit and re-release. But I wanted your opinions as well. Is the XSS really an issue in your case, or do you just want to get rid of the audit warning? Please answer to #1489

[nknapp]

After talk to @wycats, we have decided to revert the fix (in 3.0.6), because it was in illegal change in a patch-release according to semver-logic.

The plan is to release a new minor version 3.1.0, in which the fix can be optionally activated. I'll open a separate issue for that.

In the meantime, people who require the fix must make sure to stick to version 3.0.5.

I'm sorry about the level of complexity of this issue, but this is an old project, with lots of users and compatibility is an important issue.

/cc @mattolson @courtneynguyen

[infolock]

if you all are referencing the issue reported on snyk - i highly recommend taking a step back and thinking about what they are reporting against...

i'm not convinced that this is an issue at all with handlebars so much as it is an issue with the code by the developer(s) that potentially introduced this as an issue. (more information can be found in the comments in this PR - that is now closed after reading up more on the reported issue)

that said - please reconsider even attempting to patch this and reconsider pushing back on this one...