Fix audit vulnerabilities for lodash and handlebars #579
Description
Expected behavior
There are a couple of vulnerabilities that have been with lumber-cli for a while. I was wondering if it would be possible to fix them to get CI pipelines to pass automatically.
Actual behavior
Currently, lumber-cli is fixed to version 4.17.19 that has a high vulnerability. Also, it is linked to version 4.7.6 of handlebars that has a critical vulnerability.
The problem is that it makes fail our CI when checking for vulnerabilities and because they're fixed versions, we can't update them.
Remediation
There are two methods. One would be to merge the dependabot PRs to fix those issues.
However, there's another solution that unless there's a strong reason to dismiss might be a better solution. It would be to change the fixed versions to minimum versions. That way, everybody depending on lumber-cli would be able to upgrade any of these dependencies. I'm not sure what's the reason that lodash, handlebars or sequelize are pinned to specific versions, as they would not be upgraded to major versions but only to minor or patch ones.
Please consider doing so.
I offer to send the PR with those changes if you would approve it.