v1.3.0 and handlebars High Vulnerability

[mationai]

npm audit reports handlebars High Vulnerability used in @okta/openapi.

handlebars has fix the issue in handlebars-lang/handlebars.js#1495

Has @okta/openapi pull the handlebars fix?

Where is the @okta/openapi repo?

package.json in this repo says version is 1.3.0, why is not published to npm?

If @okta/openapi has the fix, did 1.3.0 pull that in?

If not, can we raise the priority on this since it's a High Vulnerability and the fix is already in?

thanks.

[swiftone]

Thanks for the note! I'm new to this repo, so I'll have to dig to get some answers.

[alexpx]

Hi @swiftone,
Any updates regarding this issue ?

[swiftone]

Thanks for your diligence - I know it can be frustrating when companies are externally quiet

Updates:

Has @okta/openapi pull the handlebars fix?
Where is the @okta/openapi repo?

Currently @okta/openapi is an internal package. I've put in a PR to update the vulnerable dependencies (and also started the process of asking if it can be made public - no promises on that front!)

package.json in this repo says version is 1.3.0, why is not published to npm?

Looks like we missed a release step at some point - once I get the openapi updated, I'll make sure the updated okta-sdk-node is fully released.

[swiftone]

I've been side-tracked, but this issue is not being ignored. While the vulnerability is ranked (upstream) "high" in general, our use of handlebars in this package doesn't expose a meaningful attack vector.

[mationai]

Thank you. It seems odd "openapi" is not open to public. Open sourcing it will allow visibility so questions like "Has @okta/openapi pull the handlebars fix?" doesn't need to be asked, and provides a venue for issues if any are found.

[alayjv]

Hello @swiftone ,
I am also facing the same. Has there been an update on this ?

[swiftone]

Hey @alayjv -

Getting the update published is on me, but is lower priority than my other tasks since the npm report is essentially a false positive (it's correct for handlebars, but in this case no user input goes to handlebars (it's a devDependency) so in this repo it doesn't present an actual security threat.

I can't give a precise timeline, but I can say it's on the top of my "do while stuff is building/testing" list. If this is having a negative impact on you please thumbs-up the issue and that will give it weight in our prioritization.

[swiftone]

Discussions regarding @okta/openapi should move to #106, this issue will remain to ensure the open-sdk-nodejs update gets published

[mationai]

1. @swiftone handlebars vulnerability is still there in the latest version. handlebars has fix the issue in Prototype Pollution with Remote Code Execution handlebars-lang/handlebars.js#1495 back in Feb.

2. Just like previous v1.3.0, there is again a mismatch of version published to npm (v2.0.0) and version in package.json (v2.1.0).

[ygins]

Glad that its not a real security issue! Would love to see it fixed in the near future, though.

[swiftone]

@Yona168 - Thanks for the feedback. Based on the general desire for this to be fixed it's been placed in the backlog, but it isn't in the front of some other work. Thanks for your patience!

[shuowu-okta]

The issue has been resolved in the latest release. Close.