Broken with handlebars 4.6.0

[darthsteven]

Handlebars 4.6.0 breaks the templating as far as I can tell.

Presumably because of the breaking change in: handlebars-lang/handlebars.js#1633

I have a custom template that extends the spritesheet-template and now it's compiled to a file of mostly comments:

// SCSS variables are information about icon's compiled state, stored under its original file name
//
// .icon-home {
//   width: $icon-home-width;
// }
//
// The large array-like variables contain all information about a single icon
// $icon-home: x y offset_x offset_y width height total_width total_height image_path;
//
// At the bottom of this section, we provide information about the spritesheet itself
// $spritesheet: width height image $spritesheet-sprites;
$: ;
$: ;
$: '';
$: ();
$: (, , '', $ );
$: ;
$: ;
$: '';
$: ();
$: (, , '', $ );
// These "retina group" variables are mappings for the naming and pairing of normal and retina sprites.
//
// The list formatted variables are intended for mixins like `retina-sprite` and `retina-sprites`.
$: ();

Obviously that's not great!

I'm not really a node dev so can't really see what's going on and how to fix it, but I can confirm that installing handlebars 4.5.3 allows the template to compile fine.

[twolfson]

Looking into this

[twolfson]

Yep, seeing same behavior as reported via npm test (works for handlebars@4.5.3., breaks for 4.6.0)

The linked issue seems unrelated but will keep on reading for a bit before recommending hardcoding handlebars version

[twolfson]

They did a huge code cleanup between 4.5.3 and 4.6.0 (10k lines) using automated tools like eslint and prettier

handlebars-lang/handlebars.js@v4.5.3...v4.6.0

I've got a feeling the issue lies in that rather than the prototype code. Going to use git bisect to see if I can narrow down the cause on my own. Otherwise, I'll likely submit a bug report with a gist test case for them to use

[twolfson]

Actually... going to cut a release for using ~4.5.3 instead of ^ to immediately resolve this. I'd prefer to not rely on them their schedule for a patched release. I'll continue to explore the bug report route one way or another though

[twolfson]

Alright, that fixed version has been released in 10.4.3. Thanks for the bug report!

[darthsteven]

Amazing! Thank you!

[twolfson]

Heh, it turns out that the issue was in handlebars-layouts incompatibility which has been fixed between its 1.x.x and 3.x.x release. Going to release another version of spritesheet-templates with the latest handlebars and handlebars-layouts

[twolfson]

Alright, this has been released in 10.5.0. Thanks again for the bug report =)

[darthsteven]

Thank you again!

[nknapp]

We will add an option to allow proto access in 4.7.0, which I hope to release today

[nknapp]

Handlebars 4.7.0 has been release with options to disable prototype restrictions:
https://handlebarsjs.com/api-reference/runtime-options.html#options-to-control-prototype-access

Please be aware the you are potentially opening up ways to crash your servers or maybe even remote code execution for people who can inject templates into your system.