Update dependency handlebars to v4.3.0 #36
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.0.12
->4.3.0
By merging this PR, the below issues will be automatically resolved and closed:
Release Notes
wycats/handlebars.js
v4.3.0
Compare Source
Fixes:
2078c72
2078c72
Features:
allowCallsToHelperMissing
to allow callingblockHelperMissing
andhelperMissing
.Breaking changes:
Compatibility notes:
Compiler revision increased -
06b7224
The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers
to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest
that you always recompile your templates with the latest compiler in your build pipelines.
Disallow calling "helperMissing" and "blockHelperMissing" directly -
2078c72
{{blockHelperMissing}}
wasnever intended and was part of the exploits that have been revealed early in 2019
(see #1495). It is also part of a new exploit that
is not captured by the earlier fix. In order to harden Handlebars against such exploits, calling thos helpers
is now not possible anymore. Overriding those helpers is still possible.
allowCallsToHelperMissing
totrue
and thecalls will again be possible
Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, despite the minor version bump.
We consider it more important to resolve a major security issue than to maintain 100% compatibility.
Commits
v4.2.2
Compare Source
v4.2.1
Compare Source
Bugfixes:
c55a7be
, #1553Compatibility notes:
Commits
v4.2.0
Compare Source
Chore/Test:
grunt-saucelab
with current sauce-connect proxy -f119497
f9cce4d
a57b682
Bugfixes:
knownHelpers
doesnt allow for custom helpers (@NickCis)Features:
Compatibility notes:
shows that it works, but if it doesn't please open an issue.
Commits
v4.1.2
Compare Source
#1540 - added browser to package.json, resolves #1102 (@ouijan)
Compatibility notes:
Commits
v4.1.1
Compare Source
Bugfixes:
5cedd62
Refactorings:
048f2ce
445ae12
Compatibility notes:
Commits
v4.1.0
Compare Source
New Features
27ac1ee
Security fixes:
42841c4
, #1495Housekeeping
bacd473
78dd89c
6b87c21
Compatibility notes:
Access to class constructors (i.e.
({}).constructor
) is now prohibited to preventRemote Code Execution. This means that following construct will no work anymore:
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
Commits
v4.0.14
Compare Source
v4.0.13
Compare Source