newman-reporter-html icon indicating copy to clipboard operation
newman-reporter-html copied to clipboard

Published 20 hours ago verified publisher icon postmanlabs

[Security] Bump handlebars from 4.5.3 to 4.6.0

Open dependabot-preview[bot] opened this issue 4 years ago • 0 comments

Bumps handlebars from 4.5.3 to 4.6.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Denial of Service Crash Node.js process from handlebars using a small and simple source

Affected versions: <4.6.0

Changelog

Sourced from handlebars's changelog.

v4.6.0 - January 8th, 2020

Features:

  • feat: access control to prototype properties via whitelist (#1633)- d03b6ec

Bugfixes:

  • fix(runtime.js): partials compile not caching (#1600) - 23d58e7

Chores, docs:

  • various refactorings and improvements to tests - d7f0dcf, 187d611, d337f40
  • modernize the build-setup
    • use prettier to format and eslint to verify - c40d9f3, 8901c28, e97685e, 1f61f21
    • use nyc instead of istanbul to collect coverage - 164b7ff, 1ebce2b
    • update build code to use modern javascript and make it cleaner - 14b621c, 1ec1737, 3a5b65e, dde108e, 04b1984, 587e7a3
    • restructur build commands - e913dc5,
  • eslint rule changes - ac4655e, dc54952
  • Update (C) year in the LICENSE file - d1fb07b
  • chore: try to fix saucelabs credentials (#1627) -
  • Update readme.md with updated links (#1620) - edcc84f

BREAKING CHANGES:

  • access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

    That is why we only bump the minor version despite mentioning breaking changes.

Commits

Commits
  • 91a1b5d v4.6.0
  • 770d746 Update release notes
  • d7f0dcf refactor: fix typo in private test method
  • 187d611 test: add path to nodeJs when running test:bin
  • d337f40 test: show diff when test:bin fails
  • d03b6ec feat: access control to prototype properties via whitelist
  • 164b7ff chore: ignore .nyc_output
  • ac4655e chore: disable "dot-notation" rule
  • 14b621c test/style: remove or hide unused code in git.js, add tests
  • 1ec1737 test/style: refactor remaining grunt tasks to use promises instead of callbacks
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

dependabot-preview[bot] avatar May 25 '20 22:05 dependabot-preview[bot]