-
-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default handlebars.js (4.0.4) contains security issues #703
Comments
Our project's security scanner (BlackDuck) is also getting tripped by the handlebars.js 4.0.4 that's included in the jar. Any chance we could get a new release upgrading it? |
Hi Edgar, |
@jknack ^^^ |
We found it in eclipse-ee4j#74, but had to wait for a fix: jknack/handlebars.java#703
The default handlebars version shipped with the plugin contains some security issues that have been fixed in upstream versions:
I don't know if this is really an issue with handlebars.java, but it causes scanners like Snyk or RetireJS to trigger if they see it in the project dependencies. I suggest to update the default file to the latest version of the 4.0.x tree (currently 4.0.14).
The text was updated successfully, but these errors were encountered: