Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump handlebars from 3.0.8 to 4.7.7 in /war #6753

Closed
wants to merge 1 commit into from
Closed

Bump handlebars from 3.0.8 to 4.7.7 in /war #6753

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 2, 2022
edited

Bumps handlebars from 3.0.8 to 4.7.7.

Changelog

Sourced from handlebars's changelog.

v4.7.7 - February 15th, 2021

  • fix weird error in integration tests - eb860c0
  • fix: check prototype property access in strict-mode (#1736) - b6d3de7
  • fix: escape property names in compat mode (#1736) - f058970
  • refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
  • chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

  • the changes from version 4.6.0 now also apply in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

v4.7.6 - April 3rd, 2020

Chore/Housekeeping:

Compatibility notes:

  • Restored Node.js compatibility

Commits

v4.7.5 - April 2nd, 2020

Chore/Housekeeping:

  • Node.js version support has been changed to v6+ Reverted in 4.7.6

Compatibility notes:

  • Node.js < v6 is no longer supported Reverted in 4.7.6

Commits

v4.7.4 - April 1st, 2020

Chore/Housekeeping:

Compatibility notes:

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code, used by dependency tooling labels Jul 2, 2022
@dependabot dependabot bot requested a review from a team July 2, 2022 11:38
@NotMyFault NotMyFault added ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback skip-changelog Should not be shown in the changelog labels Jul 2, 2022
NotMyFault
NotMyFault approved these changes Jul 2, 2022
View reviewed changes
Copy link
Member

@NotMyFault NotMyFault left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is now ready for merge. We will merge it after ~24 hours if there is no negative feedback.
Please see the merge process documentation for more information about the merge process.
Thanks!

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/war/handlebars-4.7.7 branch 2 times, most recently from 30343cc to e3f5851 Compare July 3, 2022 17:11
basil
basil reviewed Jul 3, 2022
View reviewed changes
Copy link
Member

@basil basil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Plugin-impacting change; lacks sufficient testing.

@basil basil removed ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback skip-changelog Should not be shown in the changelog labels Jul 3, 2022
@NotMyFault NotMyFault added the rfe For changelog: Minor enhancement. use `major-rfe` for changes to be highlighted label Jul 4, 2022
@NotMyFault
Copy link
Member

NotMyFault commented Jul 4, 2022
edited

Plugin-impacting change; lacks sufficient testing.

I tested this PR with plugins using handlebars and core itself.

The pipeline stage view plugin uses jenkinsci/js-lib to get their version of handlebars, 3.x,
and the job dsl plugin shades their own version of handlebars, 4.x.
Both plugins work fine with this PR and aren't affected by core version changes of this library.
There are a couple of plugins in the org using handlebars too, but had no notable SCM activity in more than 7 years, I didn't test this PR with.

The core views using handlebars are fine too, I didn't spot anything odd.

I changed the labels to highlight this change in the changelog, in case it impacts closed source plugins we're unable to check, we can let developers know about the update.

@timja
Copy link
Member

timja commented Jul 4, 2022

lacks sufficient testing.

Based on what?

This PR is now ready for merge, after ~24 hours, we will merge it if there's no negative feedback.

Thanks!

@timja timja added the ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback label Jul 4, 2022
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/war/handlebars-4.7.7 branch 2 times, most recently from 749f8f3 to 0cdc44c Compare July 4, 2022 13:55
@dependabot
Bump handlebars from 3.0.8 to 4.7.7 in /war
1d623fe 
Bumps [handlebars](https://github.com/wycats/handlebars.js) from 3.0.8 to 4.7.7.
- [Release notes](https://github.com/wycats/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/master/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v3.0.8...v4.7.7)

---
updated-dependencies:
- dependency-name: handlebars
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/war/handlebars-4.7.7 branch from 0cdc44c to 1d623fe Compare July 4, 2022 14:09
@basil
Copy link
Member

basil commented Jul 4, 2022

Based on what?

Based on the lack of a "testing done" section in the PR description at the time the ready-for-merge label was added. Note that #6749 has already caused a regression and I am reverting it in #6774.

@NotMyFault NotMyFault removed ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback rfe For changelog: Minor enhancement. use `major-rfe` for changes to be highlighted labels Jul 4, 2022
@NotMyFault
Copy link
Member

NotMyFault commented Jul 4, 2022
edited

Based on what?

Based on the lack of a "testing done" section in the PR description at the time the ready-for-merge label was added. Note that #6749 has already caused a regression and I am reverting it in #6774.

Aside from this, core's handlebars technically need a few tweaks to comply with 4.x's security standards, to warrant a warning-free compile time.

I propose we close this PR for now, exclude handlebars while linking to my (wip) issue on the frontend dependency epic on jira with steps to apply a flawless migration.

@NotMyFault NotMyFault mentioned this pull request Jul 4, 2022
Merged
12 tasks
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jul 4, 2022

Looks like handlebars is no longer being updated by Dependabot, so this is no longer needed.

@dependabot dependabot bot closed this Jul 4, 2022
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/war/handlebars-4.7.7 branch July 4, 2022 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@basil basil basil left review comments

@NotMyFault NotMyFault NotMyFault approved these changes

@timja timja timja approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code, used by dependency tooling
Projects
None yet
Milestone
No milestone
3 participants
@NotMyFault @timja @basil