express-typescript-boilerplate
express-typescript-boilerplate copied to clipboard
⬆️ Bump handlebars from 4.0.12 to 4.0.14
Bumps handlebars from 4.0.12 to 4.0.14.
Changelog
Sourced from handlebars's changelog.
v4.0.14 - April 13th, 2019
Chore/Test:
- test: remove safari from saucelabs - 871accc
Bugfixes:
- fix: prevent RCE through the "lookup"-helper - cd38583
Compatibility notes:
Access to the constructor of a class thought
{{lookup obj "constructor" }}
is now prohibited. This closes a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
v4.0.13 - February 7th, 2019
New Features
- none
Security fixes:
- disallow access to the constructor in templates to prevent RCE - 42841c4, #1495
Housekeeping
- chore: fix components/handlebars package.json and auto-update on release - bacd473
- chore: Use node 10 to build handlebars - 78dd89c
Compatibility notes:
Access to class constructors (i.e.
({}).constructor
) is now prohibited to prevent Remote Code Execution. This means that following construct will no work anymore:... (truncated)class SomeClass { } SomeClass.staticProperty = 'static' var template = Handlebars.compile('{{constructor.staticProperty}}'); document.getElementById('output').innerHTML = template(new SomeClass()); // expected: 'static', but now this is empty.
Commits
-
272362e
v4.0.14 -
2a5a801
Update release notes -
7375da4
test: remove safari from saucelabs -
d4e64b6
chore: .gitignore more files -
85c8783
fix: prevent RCE through the "lookup"-helper -
d97a045
chore: reactivate saucelabs-tests -
5f47c4a
test: make security testcase internet explorer compatible -
7c2fbcc
chore: Use node 10 to build handlebars -
9d4fff1
v4.0.13 -
2d49b67
Update release notes - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot ignore this [patch|minor|major] version
will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.