philipabed / handlebars12 Goto Github PK
View Code? Open in Web Editor NEWThis project forked from jf-sandbox/handlebars
Testing Remediate on older Handlebars JS versions
This project forked from jf-sandbox/handlebars
Testing Remediate on older Handlebars JS versions
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
jest
, typescript
)package.json
handlebars 4.0.14
jest 29.0.0
typescript 4.8.2
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: main
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (handlebars): 4.7.4
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.
Publish Date: 2020-09-30
URL: CVE-2019-20922
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution: 4.4.5
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.
Publish Date: 2019-12-20
URL: CVE-2019-19919
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
Release Date: 2019-12-20
Fix Resolution: 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution: 4.1.2-0
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2020-10-15
Fix Resolution: 4.5.3
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).
Publish Date: 2020-01-09
URL: WS-2020-0450
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.22.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
Found in base branch: main
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected]
and @babel/[email protected]
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (jest): 29.0.1
⛑️ Automatic Remediation will be attempted for this issue.
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: main
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (handlebars): 4.7.4
⛑️ Automatic Remediation will be attempted for this issue.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.