npm audit vulnerability because of handlebars > optimist > minimist

[fabb]

dependency-cruiser 8.0.2 depends on [email protected] which depends on optimist@^0.6.1 which depends on a vulnerable version of [email protected].*.

Currently there is no new handlebars version available that does not produce vulnerability errors, but there already is an open ticket for that: handlebars-lang/handlebars.js#1658

Once there is a new handlebars version available, please update the dependency on handlebars in dependency cruiser. Or, maybe even better, change the dependency right away to a semantic version range like ^4.7.3.

[sverweij]

I'm acutely aware and am following handlebars-lang/handlebars.js#1658 with interest. Might be some time it gets merged, though - the maintainer currently has more pressing things to attend to - as might I, f.tm. ...

B.t.w. on runtime dependency-cruiser does not use handlebars' cli, so strictly speaking it's a false positive (as it is for most installations using handlebars, I guess).

I have a strict policy to not trust semantic version ranges of third party packages beyond what
I can run on a ci. As in normal circumstances dependency-cruiser gets updated every one
or two weeks (which includes updates to external dependencies) and faster in case of
security issues this should be good enough to go.

[sverweij]

@fabb - I saw you helped out handlebars with a bunch of unit tests so they could move on to yargs -> thanks!!! 🙏 .

I'll release an updated dependency-cruiser tonight!

[sverweij]

published as 8.1.1