backport some (but not all) of the security fixes from 4.x - 156061e
Compatibility notes:
The properties __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__
have been added to the list of "dangerous properties". If a property
by that name is found and not an own-property of its parent, it will silently evaluate to undefined.
This is done in both the compiled template and the "lookup"-helper. This will prevent
Remote-Code-Execution exploits that have been published in npm advisories 1324
and 1316.
The check for dangerous properties has been changed from "propertyIsEnumerable" to "hasOwnProperty", as it is now done
in Handlebars 4.6.0 and later.
disable saucelabs-tests since the tunnel is not working - 95f33b1
update grunt-saucelabs and aws dependency - 09aaa56
fix package.json of components/handlebars.js repo - 7cf753b
Fix Travis by updating git tag retrieval - 7c3944015d30a4348ae66ec1736b752cd864d5c1
Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - 7820b207e123babd0bda0b4871790f2ea6b36b01
Tests:
test: run appveyor tests in Node 10 - 420ac171a01b8777ebce0a777221754fcc72a5a8
Fix build on Windows - 47adcda48530ab1504b8019fe17eaedd4f4c943f
Compatibility notes:
Access to class constructors (i.e. ({}).constructor) is now prohibited to prevent
Remote Code Execution. This means that following construct will no work anymore:
This version was pushed to npm by knappi, a new releaser for handlebars since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/E2Data/E2DataYARN/network/alerts).
Bumps handlebars from 3.0.3 to 3.0.8.
Changelog
Sourced from handlebars's changelog.
... (truncated)
Commits
16bd606v3.0.890ad8d9Update release notes156061ebackport fixes from 4.x8ba9159update package-lock.json55e4d9dv3.0.7bae88ebUpdate release notesc131babchore: remove TODO comment from Gruntfile to enable clean build95f33b1chore: disable saucelabs-tests since the tunnel is not working09aaa56chore: update grunt-saucelabs and aws dependency0d6d8c3Merge pull request #1532 from mattolson/backport-security-fixesMaintainer changes
This version was pushed to npm by knappi, a new releaser for handlebars since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/E2Data/E2DataYARN/network/alerts).