Update dependency handlebars to v4.3.0 #36

mend-for-github-com · 2019-10-24T12:08:07Z

This PR contains the following updates:

Package	Type	Update	Change
handlebars (source)	devDependencies	minor	`4.0.12` -> `4.3.0`

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	CVE	GitHub Issue
High	7.3	WS-2019-0291	Fixes #35

Release Notes

wycats/handlebars.js

`v4.3.0`

Compare Source

Fixes:

Security: Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72
Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72

Features:

Add new runtime option allowCallsToHelperMissing to allow calling blockHelperMissing and helperMissing.

Breaking changes:

Compatibility notes:

Compiler revision increased - 06b7224
- This means that template compiled with versions prior to 4.3.0 will not work with runtimes >= 4.3.0
  The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers
  to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest
  that you always recompile your templates with the latest compiler in your build pipelines.
Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72
- Calling "helperMissing" and "blockHelperMissing" directly from a template (like in {{blockHelperMissing}} was
  never intended and was part of the exploits that have been revealed early in 2019
  (see #1495). It is also part of a new exploit that
  is not captured by the earlier fix. In order to harden Handlebars against such exploits, calling thos helpers
  is now not possible anymore. Overriding those helpers is still possible.
- If you really need this behavior, you can set the runtime option allowCallsToHelperMissing to true and the
  calls will again be possible

Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, despite the minor version bump.

We consider it more important to resolve a major security issue than to maintain 100% compatibility.

Commits

`v4.2.2`

Compare Source

`v4.2.1`

Compare Source

Bugfixes:

The "browser" property in the package.json has been updated to use the common-js builds instead of the minified UMD - c55a7be, #1553

Compatibility notes:

No compatibility issues should arise

Commits

`v4.2.0`

Compare Source

Chore/Test:

Use custom grunt-saucelab with current sauce-connect proxy - f119497
Add framework for various integration tests - f9cce4d
Add integration test for webpack - a57b682

Bugfixes:

#1544 - Typescript types: knownHelpers doesnt allow for custom helpers (@NickCis)
#1534 - Add typings for "Handlebars.VM.resolvePartial (@AndrewLeedham)

Features:

#1540 - added "browser"-property to package.json, resolves #1102 (@ouijan)

Compatibility notes:

The new "browser"-property should not break anything, but you can never be sure. The integration test for webpack
shows that it works, but if it doesn't please open an issue.

Commits

`v4.1.2`

Compare Source

#1540 - added browser to package.json, resolves #1102 (@ouijan)

Compatibility notes:

We are not sure if imports via webpack are still working, which is why this release is a pre-release

Commits

`v4.1.1`

Compare Source

Bugfixes:

fix: add "runtime.d.ts" to allow "require('handlebars/runtime')" in TypeScript - 5cedd62

Refactorings:

replace "async" with "neo-async" - 048f2ce
use "substring"-function instead of "substr" - 445ae12

Compatibility notes:

This is a bugfix release. There are no breaking change and no new features.

Commits

`v4.1.0`

Compare Source

New Features

import TypeScript typings - 27ac1ee

Security fixes:

disallow access to the constructor in templates to prevent RCE - 42841c4, #1495

Housekeeping

chore: fix components/handlebars package.json and auto-update on release - bacd473
chore: Use node 10 to build handlebars - 78dd89c
chore/doc: Add more release docs - 6b87c21

Compatibility notes:

Access to class constructors (i.e. ({}).constructor) is now prohibited to prevent
Remote Code Execution. This means that following construct will no work anymore:

class SomeClass {
}

SomeClass.staticProperty = 'static'

var template = Handlebars.compile('{{constructor.staticProperty}}');
document.getElementById('output').innerHTML = template(new SomeClass());
// expected: 'static', but now this is empty.

This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).

Commits

`v4.0.14`

Compare Source

`v4.0.13`

Compare Source

If you want to rebase/retry this PR, check this box

mend-for-github-com bot added the security fix Security fix generated by WhiteSource label Oct 24, 2019

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch from a5f66d3 to 75fb9ab Compare October 28, 2019 19:09

mend-for-github-com bot changed the title ~~Update dependency handlebars to v4.4.5~~ Update dependency handlebars to v4.5.0 Oct 28, 2019

mend-for-github-com bot changed the title ~~Update dependency handlebars to v4.5.0~~ Update dependency handlebars to v4.5.1 Oct 29, 2019

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch 4 times, most recently from 5396ff3 to 50a6f5b Compare November 2, 2019 09:09

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch from 50a6f5b to c0a9b77 Compare November 6, 2019 09:09

mend-for-github-com bot changed the title ~~Update dependency handlebars to v4.5.1~~ Update dependency handlebars to v4.5.3 Nov 19, 2019

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch from c0a9b77 to 9c22188 Compare November 19, 2019 18:05

mend-for-github-com bot changed the title ~~Update dependency handlebars to v4.5.3~~ Update dependency handlebars to v4.3.0 Nov 21, 2019

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch 2 times, most recently from 296619a to 57f8653 Compare November 25, 2019 17:08

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch from 57f8653 to f474fa6 Compare November 30, 2019 05:02

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch from f474fa6 to 2ada114 Compare December 8, 2019 17:16

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch from 2ada114 to 74e6b3d Compare December 27, 2019 01:07

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch 2 times, most recently from 9791edc to 846bca4 Compare January 12, 2020 13:09

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch from 846bca4 to aea3c2f Compare January 21, 2020 02:23

Update dependency handlebars to v4.3.0

9e8b3cb

mend-for-github-com bot force-pushed the whitesource-remediate/handlebars-4.x-lockfile branch from aea3c2f to 9e8b3cb Compare February 3, 2020 23:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency handlebars to v4.3.0 #36

Update dependency handlebars to v4.3.0 #36

mend-for-github-com bot commented Oct 24, 2019 •

edited

Update dependency handlebars to v4.3.0 #36

Are you sure you want to change the base?

Update dependency handlebars to v4.3.0 #36

Conversation

mend-for-github-com bot commented Oct 24, 2019 • edited

Release Notes

mend-for-github-com bot commented Oct 24, 2019 •

edited