Open
Description
NPM is telling me found 1 high severity vulnerability and it looks to be coming through a chain of dependencies on grunt-typedoc.
Here is the result of running npm audit:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Prototype Pollution
Package handlebars
Patched in >=4.0.13
Dependency of grunt-typedoc [dev]
Path grunt-typedoc > typedoc > handlebars
More info https://npmjs.com/advisories/755
found 1 high severity vulnerability in 1710715 scanned packages
1 vulnerability requires manual review. See the full report for details.
So I did some digging in the package-lock.json of my project. Here is the chain:
"grunt-typedoc": {
"version": "0.2.4",
"resolved": "https://registry.npmjs.org/grunt-typedoc/-/grunt-typedoc-0.2.4.tgz",
"integrity": "sha1-TjgqVObdnxqqK9fBhj0dJh28tj8=",
"dev": true,
"requires": {
"typedoc": "^0.4.1"
},
"dependencies": {
// abbreviated
"handlebars": {
"version": "4.0.5",
"resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz",
"integrity": "sha1-ksbta7FkEQxQ1NjQ+93HCAbG+Oc=",
"dev": true,
"requires": {
"async": "^1.4.0",
"optimist": "^0.6.1",
"source-map": "^0.4.4",
"uglify-js": "^2.6"
}
},
// abbreviated
I'll probably just switch to using grunt-run for this task but I thought I'd file a issue because it probably could be solved by changing your package.json to a newer version of typedoc.
Metadata
Metadata
Assignees
Labels
No labels