wycats/handlebars.js
### [`v4.1.2`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v412---April-13th-2019)
[Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.1.1...v4.1.2)
Chore/Test:
- [#1515](https://togithub.com/wycats/handlebars.js/pull/1515) - Port over linting and test for typings ([@zimmi88](https://api.github.com/users/zimmi88))
- chore: add missing typescript dependency, add package-lock.json - [`594f1e3`](https://togithub.com/wycats/handlebars.js/commit/594f1e3)
- test: remove safari from saucelabs - [`871accc`](https://togithub.com/wycats/handlebars.js/commit/871accc)
Bugfixes:
- fix: prevent RCE through the "lookup"-helper - [`cd38583`](https://togithub.com/wycats/handlebars.js/commit/cd38583)
Compatibility notes:
Access to the constructor of a class thought `{{lookup obj "constructor" }}` is now prohibited. This closes
a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.
This kind of access is not the intended use of Handlebars and leads to the vulnerability described
in [#1495](https://togithub.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented,
and because of the potential impact of the issue (we fear that most people won't use a new major version
and the issue may not be resolved on many systems).
[Commits](https://togithub.com/wycats/handlebars.js/compare/v4.1.1...v4.1.2)
### [`v4.1.1`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v411---March-16th-2019)
[Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.1.0...v4.1.1)
Bugfixes:
- fix: add "runtime.d.ts" to allow "require('handlebars/runtime')" in TypeScript - [`5cedd62`](https://togithub.com/wycats/handlebars.js/commit/5cedd62)
Refactorings:
- replace "async" with "neo-async" - [`048f2ce`](https://togithub.com/wycats/handlebars.js/commit/048f2ce)
- use "substring"-function instead of "substr" - [`445ae12`](https://togithub.com/wycats/handlebars.js/commit/445ae12)
Compatibility notes:
- This is a bugfix release. There are no breaking change and no new features.
[Commits](https://togithub.com/wycats/handlebars.js/compare/v4.1.0...v4.1.1)
### [`v4.1.0`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v410---February-7th-2019)
[Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.0.14...v4.1.0)
New Features
- import TypeScript typings - [`27ac1ee`](https://togithub.com/wycats/handlebars.js/commit/27ac1ee)
Security fixes:
- disallow access to the constructor in templates to prevent RCE - [`42841c4`](https://togithub.com/wycats/handlebars.js/commit/42841c4), [#1495](https://togithub.com/wycats/handlebars.js/issues/1495)
Housekeeping
- chore: fix components/handlebars package.json and auto-update on release - [`bacd473`](https://togithub.com/wycats/handlebars.js/commit/bacd473)
- chore: Use node 10 to build handlebars - [`78dd89c`](https://togithub.com/wycats/handlebars.js/commit/78dd89c)
- chore/doc: Add more release docs - [`6b87c21`](https://togithub.com/wycats/handlebars.js/commit/6b87c21)
Compatibility notes:
Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent
Remote Code Execution. This means that following construct will no work anymore:
class SomeClass {
}
SomeClass.staticProperty = 'static'
var template = Handlebars.compile('{{constructor.staticProperty}}');
document.getElementById('output').innerHTML = template(new SomeClass());
// expected: 'static', but now this is empty.
This kind of access is not the intended use of Handlebars and leads to the vulnerability described in [#1495](https://togithub.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
[Commits](https://togithub.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)
### [`v4.0.14`](https://togithub.com/wycats/handlebars.js/compare/v4.0.13...v4.0.14)
[Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.0.13...v4.0.14)
### [`v4.0.13`](https://togithub.com/wycats/handlebars.js/compare/v4.0.12...v4.0.13)
[Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.0.12...v4.0.13)
Renovate configuration
:date: Schedule: At any time (no schedule defined).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Renovate Bot. View repository job log here.
This PR contains the following updates:
4.0.12->4.1.2Release Notes
wycats/handlebars.js
### [`v4.1.2`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v412---April-13th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.1.1...v4.1.2) Chore/Test: - [#1515](https://togithub.com/wycats/handlebars.js/pull/1515) - Port over linting and test for typings ([@zimmi88](https://api.github.com/users/zimmi88)) - chore: add missing typescript dependency, add package-lock.json - [`594f1e3`](https://togithub.com/wycats/handlebars.js/commit/594f1e3) - test: remove safari from saucelabs - [`871accc`](https://togithub.com/wycats/handlebars.js/commit/871accc) Bugfixes: - fix: prevent RCE through the "lookup"-helper - [`cd38583`](https://togithub.com/wycats/handlebars.js/commit/cd38583) Compatibility notes: Access to the constructor of a class thought `{{lookup obj "constructor" }}` is now prohibited. This closes a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility. This kind of access is not the intended use of Handlebars and leads to the vulnerability described in [#1495](https://togithub.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems). [Commits](https://togithub.com/wycats/handlebars.js/compare/v4.1.1...v4.1.2) ### [`v4.1.1`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v411---March-16th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.1.0...v4.1.1) Bugfixes: - fix: add "runtime.d.ts" to allow "require('handlebars/runtime')" in TypeScript - [`5cedd62`](https://togithub.com/wycats/handlebars.js/commit/5cedd62) Refactorings: - replace "async" with "neo-async" - [`048f2ce`](https://togithub.com/wycats/handlebars.js/commit/048f2ce) - use "substring"-function instead of "substr" - [`445ae12`](https://togithub.com/wycats/handlebars.js/commit/445ae12) Compatibility notes: - This is a bugfix release. There are no breaking change and no new features. [Commits](https://togithub.com/wycats/handlebars.js/compare/v4.1.0...v4.1.1) ### [`v4.1.0`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v410---February-7th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.0.14...v4.1.0) New Features - import TypeScript typings - [`27ac1ee`](https://togithub.com/wycats/handlebars.js/commit/27ac1ee) Security fixes: - disallow access to the constructor in templates to prevent RCE - [`42841c4`](https://togithub.com/wycats/handlebars.js/commit/42841c4), [#1495](https://togithub.com/wycats/handlebars.js/issues/1495) Housekeeping - chore: fix components/handlebars package.json and auto-update on release - [`bacd473`](https://togithub.com/wycats/handlebars.js/commit/bacd473) - chore: Use node 10 to build handlebars - [`78dd89c`](https://togithub.com/wycats/handlebars.js/commit/78dd89c) - chore/doc: Add more release docs - [`6b87c21`](https://togithub.com/wycats/handlebars.js/commit/6b87c21) Compatibility notes: Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent Remote Code Execution. This means that following construct will no work anymore: class SomeClass { } SomeClass.staticProperty = 'static' var template = Handlebars.compile('{{constructor.staticProperty}}'); document.getElementById('output').innerHTML = template(new SomeClass()); // expected: 'static', but now this is empty. This kind of access is not the intended use of Handlebars and leads to the vulnerability described in [#1495](https://togithub.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems). [Commits](https://togithub.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0) ### [`v4.0.14`](https://togithub.com/wycats/handlebars.js/compare/v4.0.13...v4.0.14) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.0.13...v4.0.14) ### [`v4.0.13`](https://togithub.com/wycats/handlebars.js/compare/v4.0.12...v4.0.13) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.0.12...v4.0.13)Renovate configuration
:date: Schedule: At any time (no schedule defined).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "
rebase!".:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot. View repository job log here.