[4.x] High severity security issue in minimist-dependency

[rlsf]

updated dependencies according to npm audit fix.

[jaylinski]

@rlsf In #1842 you wrote:

please merge it and release a new version, as currently handlebars suffers from a critical CVE

When doing a fresh install of handlebars, the npm audit-command currently reports the following:

minimist  *
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/minimist
  handlebars  >=4.7.6
  Depends on vulnerable versions of minimist
  node_modules/handlebars

2 high severity vulnerabilities

This PR will not solve those issues, since the lock-file is ignored when installing a package as dependency.

Also the minimist-vulnerability will only be solved when https://github.com/substack/minimist/pull/165 is merged and tagged, nothing we can do here.

In our current master (designated version 5) we got already rid of the minimist dependency, so I will invest some time for a new major release.

[jaylinski]

Maybe we should use https://github.com/meszaros-lajos-gyorgy/minimist-lite instead of minimist in 4.x. 🤔

[rlsf]

indeed, i didn't notice that the update didn't upgrade minimist.
minimist v1.2.6, with a fix to the aforementioned CVE was released 3 hours ago.
i've updated the PR with it.

[jesperhagstrom]

Sorry, noticed this PR after I created #1843, however this PR seems to update in the 5.x-branch while mine updates in the 4.x. I'll close my PR if not applicable.

[jaylinski]

As mentioned before, the lock-file is only used when directly checking out this repo and running npm install.

When installing handlebars in your project via npm i handlebars and running npm audit, there are no security issues (because minimist released a fix):