Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

npm audit fails: upgrade handlebars >=4.5.3

See original GitHub issue

Newman Version (can be found via newman -v): 4.5.6
OS details (type, version, and architecture): Mac OS
Are you using Newman as a library, or via the CLI? CLI
Did you encounter this recently, or has this bug always been there: recently
Expected behaviour: npm audit passes
Command / script used to run Newman: npm audit
Sample collection, and auxiliary files (minus the sensitive details): NA
Screenshots (if applicable):

$ cat package.json
{
  "dependencies": {
    "newman": "^4.5.6"
  }
}

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ newman                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ newman > postman-runtime > handlebars                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1316                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ newman                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ newman > postman-runtime > handlebars                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1324                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ newman                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ newman > postman-runtime > handlebars                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1325                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 high severity vulnerabilities in 357 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

Issue Analytics

State:
Created 4 years ago
Reactions:9
Comments:9 (3 by maintainers)

Top GitHub Comments

2reactions

memarkcommented, Dec 5, 2019

Please fix this!

1reaction

anishknycommented, Dec 6, 2019

@shamasis thanks - thats good enough for me - please close this issue when its patched to let us know! Cheers! (and by the way absolutely love Postman and esp. newman keep up the great work - sorry if I came off as angry haha)

Top Results From Across the Web

handlebars@4.5.3 - Snyk Vulnerability Database

handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution when selecting certain ...

Auditing package dependencies for security vulnerabilities

To upgrade, run npm install npm@latest -g . The npm audit command submits a description of the dependencies configured in your package to...

npm err! node-sass@7.0.3 postinstall: `node scripts/build.js` - You ...

I'm working on my first node.js project and am using handlebars for templating. When I deployed through Heroku today I got a 500...

Changelog - Cypress Documentation

Fixed an issue where the Cypress migration wizard would fail to run in global mode ... Installing Cypress on your system now requires...

Changelog - Nextcloud

Update timely and don't run unmaintained Nextcloud versions. ... Prevent throwing an error in node deletion hook (photos#1493) · Run npm audit fix ......