Changelog
*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/v4.0.14/release-notes.md).*
> ## v4.0.14 - April 13th, 2019
> Chore/Test:
> - test: remove safari from saucelabs - 871accc
>
> Bugfixes:
> - fix: prevent RCE through the "lookup"-helper - cd38583
>
> Compatibility notes:
>
> Access to the constructor of a class thought `{{lookup obj "constructor" }}` is now prohibited. This closes
> a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.
>
> This kind of access is not the intended use of Handlebars and leads to the vulnerability described
> in [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented,
> and because of the potential impact of the issue (we fear that most people won't use a new major version
> and the issue may not be resolved on many systems).
>
>
> [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.13...v4.0.14)
>
> ## v4.0.13 - February 7th, 2019
> New Features
>
> - none
>
> Security fixes:
>
> - disallow access to the constructor in templates to prevent RCE - 42841c4, [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495)
>
> Housekeeping
>
> - chore: fix components/handlebars package.json and auto-update on release - bacd473
> - chore: Use node 10 to build handlebars - 78dd89c
>
> Compatibility notes:
>
> Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent
> Remote Code Execution. This means that following construct will no work anymore:
>
> ```
> class SomeClass {
> }
>
> SomeClass.staticProperty = 'static'
>
> var template = Handlebars.compile('{{constructor.staticProperty}}');
> document.getElementById('output').innerHTML = template(new SomeClass());
> // expected: 'static', but now this is empty.
> ```
>
> ... (truncated)
Commits
- [`272362e`](https://github.com/wycats/handlebars.js/commit/272362e44c66d0110a4c98c7c1d121971ce447a7) v4.0.14
- [`2a5a801`](https://github.com/wycats/handlebars.js/commit/2a5a80110cec2066f4c03794d96676c069d86981) Update release notes
- [`7375da4`](https://github.com/wycats/handlebars.js/commit/7375da42769bf8681d16474687ddac07239192f9) test: remove safari from saucelabs
- [`d4e64b6`](https://github.com/wycats/handlebars.js/commit/d4e64b6bdc6accde00872e7041354430e8dcf4dc) chore: .gitignore more files
- [`85c8783`](https://github.com/wycats/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4) fix: prevent RCE through the "lookup"-helper
- [`d97a045`](https://github.com/wycats/handlebars.js/commit/d97a045f6b25e75e98e6e3ecd1a608ccebb802d8) chore: reactivate saucelabs-tests
- [`5f47c4a`](https://github.com/wycats/handlebars.js/commit/5f47c4a6825e500fcda58650981e46d81e065820) test: make security testcase internet explorer compatible
- [`7c2fbcc`](https://github.com/wycats/handlebars.js/commit/7c2fbcc9de142b5d80314ddd37d88c9c69798ff3) chore: Use node 10 to build handlebars
- [`9d4fff1`](https://github.com/wycats/handlebars.js/commit/9d4fff19d438a390b4e34d0a175b2de5f196cea8) v4.0.13
- [`2d49b67`](https://github.com/wycats/handlebars.js/commit/2d49b67a6180d1a91d92f824753005e39e622650) Update release notes
- Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.0.14)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/communitysnowobs/cso-api/network/alerts).
Bumps handlebars from 4.0.12 to 4.0.14.
Changelog
*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/v4.0.14/release-notes.md).* > ## v4.0.14 - April 13th, 2019 > Chore/Test: > - test: remove safari from saucelabs - 871accc > > Bugfixes: > - fix: prevent RCE through the "lookup"-helper - cd38583 > > Compatibility notes: > > Access to the constructor of a class thought `{{lookup obj "constructor" }}` is now prohibited. This closes > a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility. > > This kind of access is not the intended use of Handlebars and leads to the vulnerability described > in [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, > and because of the potential impact of the issue (we fear that most people won't use a new major version > and the issue may not be resolved on many systems). > > > [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.13...v4.0.14) > > ## v4.0.13 - February 7th, 2019 > New Features > > - none > > Security fixes: > > - disallow access to the constructor in templates to prevent RCE - 42841c4, [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495) > > Housekeeping > > - chore: fix components/handlebars package.json and auto-update on release - bacd473 > - chore: Use node 10 to build handlebars - 78dd89c > > Compatibility notes: > > Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent > Remote Code Execution. This means that following construct will no work anymore: > > ``` > class SomeClass { > } > > SomeClass.staticProperty = 'static' > > var template = Handlebars.compile('{{constructor.staticProperty}}'); > document.getElementById('output').innerHTML = template(new SomeClass()); > // expected: 'static', but now this is empty. > ``` > > ... (truncated)Commits
- [`272362e`](https://github.com/wycats/handlebars.js/commit/272362e44c66d0110a4c98c7c1d121971ce447a7) v4.0.14 - [`2a5a801`](https://github.com/wycats/handlebars.js/commit/2a5a80110cec2066f4c03794d96676c069d86981) Update release notes - [`7375da4`](https://github.com/wycats/handlebars.js/commit/7375da42769bf8681d16474687ddac07239192f9) test: remove safari from saucelabs - [`d4e64b6`](https://github.com/wycats/handlebars.js/commit/d4e64b6bdc6accde00872e7041354430e8dcf4dc) chore: .gitignore more files - [`85c8783`](https://github.com/wycats/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4) fix: prevent RCE through the "lookup"-helper - [`d97a045`](https://github.com/wycats/handlebars.js/commit/d97a045f6b25e75e98e6e3ecd1a608ccebb802d8) chore: reactivate saucelabs-tests - [`5f47c4a`](https://github.com/wycats/handlebars.js/commit/5f47c4a6825e500fcda58650981e46d81e065820) test: make security testcase internet explorer compatible - [`7c2fbcc`](https://github.com/wycats/handlebars.js/commit/7c2fbcc9de142b5d80314ddd37d88c9c69798ff3) chore: Use node 10 to build handlebars - [`9d4fff1`](https://github.com/wycats/handlebars.js/commit/9d4fff19d438a390b4e34d0a175b2de5f196cea8) v4.0.13 - [`2d49b67`](https://github.com/wycats/handlebars.js/commit/2d49b67a6180d1a91d92f824753005e39e622650) Update release notes - Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.0.14)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/communitysnowobs/cso-api/network/alerts).