We help IT Professionals succeed at work.

Npm dependency's vulnerability

ltpitt
ltpitt asked
Hi all,

I have a vulnerability that is preventing my frontend's automated build.

I did a npm update and bower update, this caused new versions of dependencies to be included in my package.json and bower.json, all fine.

If I try the build the dependency error is still showing in two different locations:
node_modules/polymer-cli/node_modules/handlebars/dist/handlebars.js - v4.1.2

and

node_modules/bower/lib/node_modules/handlebars/dist/handlebars.js - v4.0.10

I don't understand why those versions were not updated even if I specifically requested the latest version for polymer-cli and bower.
I've searched everywhere in the codebase but I couldn't find any reference to those versions to update them.

Can you please help?
Comment
Watch Question

Hi,

I'm not so sure what your issue is but

You can try a newer version
https://github.com/wycats/handlebars.js

Or check the FAQ about compile
https://github.com/wycats/handlebars.js/blob/master/FAQ.md

Official documentation
https://handlebarsjs.com/installation/

Author

Commented:
I can get a new version but all my frontend is built using npm / bower.
I cannot find which is the dependency that I need to update in order to be sure that handlebars (which is a child dependency of this dependency that I cannot find) is correctly updated.
I've removed devDependencies and now it is building fine