Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump version of istanbul? #127

Closed
mmucklo opened this issue Feb 9, 2016 · 4 comments
Closed

Bump version of istanbul? #127

mmucklo opened this issue Feb 9, 2016 · 4 comments
Labels
problem

Comments

@mmucklo
Copy link

mmucklo commented Feb 9, 2016

The old version of istanbul that gets pulled in seems to use an old version of handlebars that has a vulnerability:

handlebars 1.3.0 has known vulnerabilities:  severity: low; summary: Quoteless Attributes in Templates can lead to Content Injection; https://nodesecurity.io/advisories/61
[...]
qunit 0.9.0
 ↳ istanbul 0.2.5
  ↳ handlebars 1.3.0
@kof
Copy link
Contributor

kof commented Feb 9, 2016
edited by Krinkle
Loading

currently its using https://github.com/gotwarlost/istanbul/tree/harmony

Whats the latest version with harmony support?
@maxbarrett
Copy link

maxbarrett commented May 12, 2016
edited
Loading

"the harmony branch should be treated as obsolete with the latest Istanbul release. The mainline release now has all the features that the harmony branch has."
gotwarlost/istanbul#284 (comment)

FYI, Istanbul v1.0.0-alpha.2 offers accurate coverage reporting of ES6 code.
@Krinkle Krinkle added the problem label Mar 9, 2017
@Krinkle
Copy link
Member

Krinkle commented Mar 10, 2017

Per https://github.com/gotwarlost/istanbul/blob/v0.4.5/CHANGELOG.md:

v0.3.9

  • Merge harmony branch and start adding ES6 features to istanbul
Krinkle added a commit that referenced this issue Mar 10, 2017
@Krinkle
build: Move istanbul back to stable version
5c0d8e8 
Follows-up 22d61f2, which moved istanbul from v0.2.4 to their 'harmony'
branch in order to support ES6 generator functions.

The branch has since then been merged and released as v0.3.9,
the branch hasn't been updated since.

Ref #127
@Krinkle
Copy link
Member

Krinkle commented Mar 10, 2017
edited
Loading

513c75f updates istanbul to v0.4.5 which comes with handlebars v4.0.6. The vulnerability was fixed in 4.0.0 per https://snyk.io/vuln/npm:handlebars.

qunit
+-- istanbul@0.4.5
| +-- handlebars@4.0.6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
problem
4 participants
@kof @Krinkle @maxbarrett @mmucklo