New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency handlebars to v4 [SECURITY] #4
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-handlebars-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
changed the title
Pin dependency handlebars to v3.0.8 [SECURITY]
Pin dependency handlebars to 3.0.8 [SECURITY]
May 9, 2021
renovate
bot
changed the title
Pin dependency handlebars to 3.0.8 [SECURITY]
Pin dependency handlebars to v3.0.8 [SECURITY]
May 15, 2021
renovate
bot
changed the title
Pin dependency handlebars to v3.0.8 [SECURITY]
Pin dependency handlebars to v [SECURITY]
Mar 7, 2022
renovate
bot
changed the title
Pin dependency handlebars to v [SECURITY]
Pin dependency handlebars to v3.0.8 [SECURITY]
Sep 25, 2022
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
November 20, 2022 15:13
16cda47
to
496df55
Compare
renovate
bot
changed the title
Pin dependency handlebars to v3.0.8 [SECURITY]
Update dependency handlebars to v4 [SECURITY]
Nov 20, 2022
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
March 27, 2023 01:37
496df55
to
f2a8fb6
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
June 1, 2023 03:34
1596525
to
3295f37
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
June 10, 2023 02:09
538e7a4
to
d3f0e52
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
3 times, most recently
from
June 19, 2023 05:44
cebf44c
to
a5870d2
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
June 23, 2023 02:42
a5870d2
to
7ad6b33
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
July 1, 2023 01:17
9085d7c
to
8877461
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
4 times, most recently
from
July 11, 2023 05:33
cea74cf
to
1e3a574
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
4 times, most recently
from
July 21, 2023 05:36
bf398cb
to
5ffe12b
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
3 times, most recently
from
August 3, 2023 14:51
b1fbda0
to
cb300dc
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
August 9, 2023 21:00
31fb4e2
to
d798921
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
December 5, 2023 14:54
c0fd1bb
to
39477d4
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
4 times, most recently
from
January 10, 2024 05:38
e1f5b71
to
5b5da92
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
January 18, 2024 02:57
0eb4e8a
to
6c88bff
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
4 times, most recently
from
February 6, 2024 05:10
666acc4
to
97be6e4
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
4 times, most recently
from
March 2, 2024 04:56
1a51a85
to
a043a18
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
March 13, 2024 08:38
8e063e3
to
f6902b1
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
4 times, most recently
from
March 26, 2024 05:34
7f22bad
to
ff68d66
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
April 16, 2024 05:52
194a53b
to
6d9456a
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
4 times, most recently
from
April 27, 2024 17:44
fe4fa05
to
e1e8040
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
May 1, 2024 11:49
e1e8040
to
46f6e0f
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
May 2, 2024 08:58
46f6e0f
to
36873de
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^3.0.3
->^4.7.7
GitHub Vulnerability Alerts
CVE-2015-8861
Versions of
handlebars
prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.Proof of Concept
Template:
<a href=/>
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href=test.com onload=alert(1)/>
Recommendation
Update to version 4.0.0 or later.
Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
CVE-2021-23369
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-23383
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Release Notes
handlebars-lang/handlebars.js (handlebars)
v4.7.7
Compare Source
eb860c0
b6d3de7
f058970
77825f8
3789a30
(POSSIBLY) BREAKING CHANGES:
in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods
can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties
from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.
That is why we only bump the patch version despite mentioning breaking changes.
Commits
v4.7.6
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.5
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.4
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.3
Compare Source
Chore/Housekeeping:
d78cc73
Bugfixes:
4de51fe
a32d05f
Compatibility notes:
Commits
v4.7.2
Compare Source
Bugfixes:
9d5aa36
, #1639Chore/Build:
a4fd391
Compatibility notes:
Commits
v4.7.1
Compare Source
Bugfixes:
f152dfc
3c1e252
Compatibility notes:
Commits
v4.7.0
Compare Source
Features:
7af1c12
, #1635and no explicit configuration has taken place.
Compatibility notes:
Commits
v4.6.0
Compare Source
Features:
d03b6ec
Bugfixes:
23d58e7
Chores, docs:
d7f0dcf
,187d611
,d337f40
c40d9f3
,8901c28
,e97685e
,1f61f21
164b7ff
,1ebce2b
14b621c
,1ec1737
,3a5b65e
,dde108e
,04b1984
,587e7a3
e913dc5
,ac4655e
,dc54952
d1fb07b
edcc84f
BREAKING CHANGES:
access to prototype properties is forbidden completely by default,
specific properties or methods can be allowed via runtime-options.
See #1633 for details.
If you are using Handlebars as documented, you should not be accessing prototype
properties from your template anyway, so the changes should not be a problem
for you. Only the use of undocumented features can break your build.
That is why we only bump the minor version despite mentioning breaking changes.
Commits
v4.5.3
Compare Source
Bugfixes:
f7f05d7
1988878
Chores / Build:
c02b05f
deprecate old assertion-methods -
93e284e
,886ba86
,0817dad
,93516a0
Security:
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
have been added to the list of "properties that must be enumerable".
If a property by that name is found and not enumerable on its parent,
it will silently evaluate to
undefined
. This is done in both the compiled template and the "lookup"-helper.This will prevent new Remote-Code-Execution exploits that have been
published recently.
Compatibility notes:
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
in the respect that those expression now returnundefined
rather than their actual value from the proto.increase the patch-version, because the incompatible use-cases
are not intended, undocumented and far less important than fixing
Remote-Code-Execution exploits on existing systems.
Commits
v4.5.2
Compare Source
v4.5.1
Compare Source
Bugfixs
5e9d17f
(#1589)Compatibility notes:
Commits
v4.5.0
Compare Source
Features / Improvements
62ed3c2
feb60f8
Bugfixes:
7fcf9d2
Chore:
7052e88
088e618
Compatibility notes:
Commits
v4.4.5
Compare Source
Bugfixes:
8d5530e
, #1579Commits
v4.4.4
Compare Source
Bugfixes:
f1752fe
Chore:
0b593bf
Compatibility notes:
Commits
v4.4.3
Compare Source
Bugfixes
Typings:
0440af2
Commits
v4.4.2
Compare Source
b7eada0
Commits
v4.4.1
Compare Source
Commits
v4.4.0
Compare Source
cf7545e
Commits
v4.3.5
Compare Source
Commits
v4.3.4
Compare Source
ff4d827
Compatibility notes:
Commits
v4.3.3
Compare Source
8742bde
Commits
v4.3.2
Compare Source
213c0bb
, #1563Compatibility notes:
Commits
v4.3.1
Compare Source
Fixes:
1266838
, #156193444c5
,64ecb9e
, #1560Commits
v4.3.0
Compare Source
Fixes:
2078c72
2078c72
Features:
allowCallsToHelperMissing
to allow callingblockHelperMissing
andhelperMissing
.Breaking changes:
Compatibility notes:
Compiler revision increased -
06b7224
The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers
to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest
that you always recompile your templates with the latest compiler in your build pipelines.
Disallow calling "helperMissing" and "blockHelperMissing" directly -
2078c72
{{blockHelperMissing}}
wasnever intended and was part of the exploits that have been revealed early in 20https://github.com/handlebars-lang/handlebars.js/issues/1495s.js/issues/1495). It is also part of a new exploit that
is not captured by the earlier fix. In order to harden Handlebars against such exploits, calling thos helpers
is now not possible anymore. Overriding those helpers is still possible.
allowCallsToHelperMissing
totrue
and thecalls will again be possible
Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, despite the minor version bump.
We consider it more important to resolve a major security issue than to maintain 100% compatibility.
Commits
v4.2.2
Compare Source
Commits
v4.2.1
Compare Source
Bugfixes:
c55a7be
, #1553Compatibility notes:
Commits
v4.2.0
Compare Source
Chore/Test:
grunt-saucelab
with current sauce-connect proxy -f119497
f9cce4d
a57b682
Bugfixes:
knownHelpers
doesnt allow for custom helpers (@NickCis)Features:
Compatibility notes:
shows that it works, but if it doesn't please open an issue.
Commits
v4.1.2
Compare Source
#1540 - added browser to package.json, resolves #1102 (@ouijan)
Compatibility notes:
Commits
v4.1.1
Compare Source
Bugfixes:
5cedd62
Refactorings:
048f2ce
445ae12
Compatibility notes:
Commits
v4.1.0
Compare Source
New Features
27ac1ee
Security fixes:
42841c4
, #1495Housekeeping
bacd473
78dd89c
6b87c21
Compatibility notes:
Access to class constructors (i.e.
({}).constructor
) is now prohibited to preventRemote Code Execution. This means that following construct will no work anymore:
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
Commits
v4.0.14
Compare Source
v4.0.13
Compare Source
v4.0.12
Compare Source
New features:
Various dependency updates
d3d3942
7729aa9
73d5637
)Bugfixes:
source-map
-package should work better withrollup
#1463Removed obsolete code:
0ddff8b
files
field -69c6ca5
8947dd0
Compatibility notes:
Commits
v4.0.11
Compare Source
uglify-js
is unconditionally imported, but only listed as optional dependency (@Turbo87)21386b6
Compatibility notes:
Commits
v4.0.10
Compare Source
0e953d1
Commits
v4.0.9
Compare Source
cc554a5
ed879a6
node handlebars -a ...
on Windows -2e21e2b
bdfdbea
b50ef03
6e6269f
7378f85
Compatibility notes:
Commits
v4.0.8
Compare Source
a00c598
Compatibility notes:
Commits
v4.0.7
Compare Source
c8f4b57
b617375
63a8e0c
5a164d0
01b0f65
406f2ee
a023cb4
c7dc353
Commits
v4.0.6
Compare Source
959ee55
(originallydfc7554
by @kpdecker)8c19874
(originally63fdb92
by @kpdecker)400916c
(originallya6121ca
by @kpdecker)fee2334
(originally871c32a
by @kpdecker)32d6363
(originally326734b
by @kpdecker)20c965c
(originally2ea6119
by @kpdecker)6c9f98c
(originally8289c0b
by @kpdecker)c393c81
(originally25458fd
by @kpdecker)Commits
v4.0.5
Compare Source
685cf92
7a6c228
0a3b3c2
c21118d
9f59de9
98a6717
Commits
v4.0.4
Compare Source
Commits
v4.0.3
Compare Source
Compatibility notes:
each
iteration withundefined
values has been restored to the 3.0 behaviors. Helper calls with undefined context values will now execute against an arbitrary empty object to avoid executing against global object in non-strict mode.]
can now be included in[]
wrapped identifiers by escaping with\
. Any[]
identifiers that include\
will now have to properly escape these values.Commits
v4.0.2
Compare Source
Commits
v4.0.1
Compare Source
New features:
Various dependency updates
d3d3942
7729aa9
73d5637
)Bugfixes:
source-map
-package should work better withrollup
#1463Removed obsolete code:
0ddff8b
files
field -69c6ca5
8947dd0
Compatibility notes:
Commits
v4.0.0
Compare Source
Compatibility notes:
if
that do not seem to alter the context. Any instances of../
in templates will need to be checked for the correct behavior under 4.0.0. In general templates will either reduce the number of../
instances or leave them as is. See #1028.=
character is now HTML escaped. This closes a potential exploit case when using unquoted attributes, i.e.<div foo={{bar}}>
. In general it's recommended that attributes always be quoted when their values are generated from a mustache to avoid any potential exploit surfaces.Commits
v3.0.8
Compare Source
v3.0.7
Compare Source
v3.0.6
Compare Source
v3.0.5
Compare Source
v3.0.4
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.