JavaScript - How to fix Handlebars Security Vulnerability - from a Dependency's Dependency

Question

Question: How can I fix a GitHub Security Vulnerability that results from a Library Dependency's Dependencies?

Context:

I received the following security vulnerability recently:

1 handlebars vulnerability found in package-lock.json 10 days ago

Adding one of these lines to the package.json file does not appear to resolve the security issue. Rather, the only instance I have found of handlebars being potentially < 4.3.0 is a reference in the package-lock.json:

"istanbul-reports": {
  "version": "2.1.1",
  "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-2.1.1.tgz",
  "integrity": "sha512-FzNahnidyEPBCI0HcufJoSEoKykesRlFcSzQqjH9x0+LC8tnnE/p/90PBLu8iZTxr8yYZNyTtiAujUqyN+CIxw==",
  "dev": true,
  "requires": {
    "handlebars": "^4.1.0"
  }
},

When traversing the dependency chain in the package-lock.json file, "istanbul-reports" is pulled when using Jest. Unfortunately, below appears to be the most recent version.

"devDependencies": {
  "jest": "^24.5.0"
}

Any suggestions on how I can remediate or fix this? Thank you!

Answer 1

You should be using {{double handlebars}} unless you explicitly want your input not to be escaped (which you want 99% of the time, as user input can never be trusted.) Here are the docs - https://handlebarsjs.com/guide/#html-escaping

if e.g. you let your user input data and then display it on your page in {{{input}}} a user could use that to insert a malicious script