build(deps): bump handlebars from 4.5.3 to 4.6.0

[dependabot-preview]

Bumps handlebars from 4.5.3 to 4.6.0.

Changelog

Sourced from handlebars's changelog.

v4.6.0 - January 8th, 2020

Features:

• feat: access control to prototype properties via whitelist (#1633)- d03b6ec

Bugfixes:

• fix(runtime.js): partials compile not caching (#1600) - 23d58e7

Chores, docs:

• various refactorings and improvements to tests - d7f0dcf, 187d611, d337f40
• modernize the build-setup
  • use prettier to format and eslint to verify - c40d9f3, 8901c28, e97685e, 1f61f21
  • use nyc instead of istanbul to collect coverage - 164b7ff, 1ebce2b
  • update build code to use modern javascript and make it cleaner - 14b621c, 1ec1737, 3a5b65e, dde108e, 04b1984, 587e7a3
  • restructur build commands - e913dc5,
• eslint rule changes - ac4655e, dc54952
• Update (C) year in the LICENSE file - d1fb07b
• chore: try to fix saucelabs credentials (#1627) -
• Update readme.md with updated links (#1620) - edcc84f

BREAKING CHANGES:

• access to prototype properties is forbidden completely by default, specific properties or methods can be allow via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

  That is why we only bump the minor version despite mentioning breaking changes

Commits

Commits

• 91a1b5d v4.6.0
• 770d746 Update release notes
• d7f0dcf refactor: fix typo in private test method
• 187d611 test: add path to nodeJs when running test:bin
• d337f40 test: show diff when test:bin fails
• d03b6ec feat: access control to prototype properties via whitelist
• 164b7ff chore: ignore .nyc_output
• ac4655e chore: disable "dot-notation" rule
• 14b621c test/style: remove or hide unused code in git.js, add tests
• 1ec1737 test/style: refactor remaining grunt tasks to use promises instead of callbacks
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[znarf]

@dependabot rebase

[znarf]

@leonardohof @Betree There is a breaking change here, according to the changelog, the most likely candidate is handlebars-lang/handlebars.js#1633

Not sure what to do.

[Betree]

Let's wait for handlebars-lang/handlebars.js#1635, the new runtime options will allow us to stay up to date with handlebars. But we should create a follow-up issue to see why we can't access our variables in emails templates with this new config and eventually whitelist the props if that's what is needed.

[nknapp]

Handlebars 4.7.0 has been release with options to disable prototype restrictions:
https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access

Please be aware the you are potentially opening up ways to crash your servers or maybe even remote code execution for people who can inject templates into your system.

[dependabot-preview]

Superseded by #3176.