Bump version of istanbul?

Question

Bump version of istanbul?

Closed this issue 8 years ago · 4 comments

The old version of istanbul that gets pulled in seems to use an old version of handlebars that has a vulnerability:

handlebars 1.3.0 has known vulnerabilities:  severity: low; summary: Quoteless Attributes in Templates can lead to Content Injection; https://nodesecurity.io/advisories/61
[...]
qunit 0.9.0
 ↳ istanbul 0.2.5
  ↳ handlebars 1.3.0

Answer 1 · 2016-02-09T22:45:21.000Z

currently its using https://github.com/gotwarlost/istanbul/tree/harmony

Whats the latest version with harmony support?

Answer 2 · 2016-05-12T01:16:34.000Z

"the harmony branch should be treated as obsolete with the latest Istanbul release. The mainline release now has all the features that the harmony branch has."
gotwarlost/istanbul#284 (comment)

FYI, Istanbul v1.0.0-alpha.2 offers accurate coverage reporting of ES6 code.

Answer 3 · 2017-03-10T03:25:12.000Z

Per https://github.com/gotwarlost/istanbul/blob/v0.4.5/CHANGELOG.md:

v0.3.9

Merge harmony branch and start adding ES6 features to istanbul

Answer 4 · 2017-03-10T03:46:35.000Z

513c75f updates istanbul to v0.4.5 which comes with handlebars v4.0.6. The vulnerability was fixed in 4.0.0 per https://snyk.io/vuln/npm:handlebars.

qunit
+-- istanbul@0.4.5
| +-- handlebars@4.0.6