Handlebars 3.0.8 and 3.0.7 are closely related versions of the popular templating engine, designed to empower developers to build semantic templates efficiently. Both versions share the same core dependencies, including optimist for command-line argument parsing, source-map for debugging, and uglify-js for JavaScript minification. Their development dependencies are also identical, encompassing a wide range of tools for testing, building, and linting, like grunt, webpack, babel, mocha, and eslint, emphasizing a strong commitment to code quality and modern development practices.
The key difference lies in the dist attributes. Version 3.0.8 has a fileCount of 103 and an unpackedSize of 3,359,485 bytes, while version 3.0.7 has a fileCount of 84 and an unpackedSize of 1,084,760 bytes. This significant difference in both file count and unpacked size suggests potential enhancements, bug fixes, or optimizations incorporated into the newer version. For developers, this implies that 3.0.8 *might* offer improved performance, stability, or new features compared to 3.0.7, justifying an upgrade. Additionally, version 3.0.8 also has a later releaseDate of "2020-02-23T10:02:30.932Z" while 3.0.7 was released at "2019-06-30T08:54:45.053Z". The later release date means 3.0.8 likely contains newer changes.
All the vulnerabilities related to the version 3.0.8 of the package
Cross-Site Scripting in handlebars
Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.
Template:
<a href={{foo}}/>
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href=test.com onload=alert(1)/>
Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
Prototype Pollution in handlebars
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
