linux-foundation-easycla[bot]
commented
2 years ago 
- :x: The email address for the commit (a779926fdcaf1fc7dd8879e69cb4c248a991df85) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.
mend-for-github-com[bot]
This PR contains the following updates:
4.4.2->4.7.4By merging this PR, the below vulnerabilities will be automatically resolved:
Release Notes
wycats/handlebars.js
### [`v4.7.4`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v474---April-1st-2020) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.7.3...v4.7.4) Chore/Housekeeping: - [#1666](https://togithub.com/handlebars-lang/handlebars.js/issues/1666) - Replaced minimist with yargs for handlebars CLI ([@aorinevo](https://api.github.com/users/aorinevo), [@AviVahl](https://api.github.com/users/AviVahl) & [@fabb](https://api.github.com/users/fabb)) Compatibility notes: - No incompatibilities are to be expected [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.7.3...v4.7.4) ### [`v4.7.3`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v473---February-5th-2020) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.7.2...v4.7.3) Chore/Housekeeping: - [#1644](https://togithub.com/handlebars-lang/handlebars.js/issues/1644) - Download links to aws broken on handlebarsjs.com - access denied ([@Tea56](https://api.github.com/users/Tea56)) - Fix spelling and punctuation in changelog - [`d78cc73`](https://togithub.com/wycats/handlebars.js/commit/d78cc73) Bugfixes: - Add Type Definition for Handlebars.VERSION, Fixes [#1647](https://togithub.com/wycats/handlebars.js/issues/1647) - [`4de51fe`](https://togithub.com/wycats/handlebars.js/commit/4de51fe) - Include Type Definition for runtime.js in Package - [`a32d05f`](https://togithub.com/wycats/handlebars.js/commit/a32d05f) Compatibility notes: - No incompatibilities are to be expected [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.7.2...v4.7.3) ### [`v4.7.2`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v472---January-13th-2020) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.7.1...v4.7.2) Bugfixes: - fix: don't wrap helpers that are not functions - [`9d5aa36`](https://togithub.com/wycats/handlebars.js/commit/9d5aa36), [#1639](https://togithub.com/wycats/handlebars.js/issues/1639) Chore/Build: - chore: execute saucelabs-task only if access-key exists - [`a4fd391`](https://togithub.com/wycats/handlebars.js/commit/a4fd391) Compatibility notes: - No breaking changes are to be expected [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.7.1...v4.7.2) ### [`v4.7.1`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v471---January-12th-2020) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.7.0...v4.7.1) Bugfixes: - fix: fix log output in case of illegal property access - [`f152dfc`](https://togithub.com/wycats/handlebars.js/commit/f152dfc) - fix: log error for illegal property access only once per property - [`3c1e252`](https://togithub.com/wycats/handlebars.js/commit/3c1e252) Compatibility notes: - no incompatibilities are to be expected. [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.7.0...v4.7.1) ### [`v4.7.0`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v470---January-10th-2020) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.6.0...v4.7.0) Features: - feat: default options for controlling proto access - [`7af1c12`](https://togithub.com/wycats/handlebars.js/commit/7af1c12), [#1635](https://togithub.com/wycats/handlebars.js/issues/1635) - This makes it possible to disable the prototype access restrictions added in 4.6.0 - an error is logged in the console, if access to prototype properties is attempted and denied and no explicit configuration has taken place. Compatibility notes: - no compatibilities are expected [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.6.0...v4.7.0) ### [`v4.6.0`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v460---January-8th-2020) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.5.3...v4.6.0) Features: - feat: access control to prototype properties via whitelist ([#1633](https://togithub.com/wycats/handlebars.js/issues/1633))- [`d03b6ec`](https://togithub.com/wycats/handlebars.js/commit/d03b6ec) Bugfixes: - fix(runtime.js): partials compile not caching ([#1600](https://togithub.com/wycats/handlebars.js/issues/1600)) - [`23d58e7`](https://togithub.com/wycats/handlebars.js/commit/23d58e7) Chores, docs: - various refactorings and improvements to tests - [`d7f0dcf`](https://togithub.com/wycats/handlebars.js/commit/d7f0dcf), [`187d611`](https://togithub.com/wycats/handlebars.js/commit/187d611), [`d337f40`](https://togithub.com/wycats/handlebars.js/commit/d337f40) - modernize the build-setup - use prettier to format and eslint to verify - [`c40d9f3`](https://togithub.com/wycats/handlebars.js/commit/c40d9f3), [`8901c28`](https://togithub.com/wycats/handlebars.js/commit/8901c28), [`e97685e`](https://togithub.com/wycats/handlebars.js/commit/e97685e), [`1f61f21`](https://togithub.com/wycats/handlebars.js/commit/1f61f21) - use nyc instead of istanbul to collect coverage - [`164b7ff`](https://togithub.com/wycats/handlebars.js/commit/164b7ff), [`1ebce2b`](https://togithub.com/wycats/handlebars.js/commit/1ebce2b) - update build code to use modern javascript and make it cleaner - [`14b621c`](https://togithub.com/wycats/handlebars.js/commit/14b621c), [`1ec1737`](https://togithub.com/wycats/handlebars.js/commit/1ec1737), [`3a5b65e`](https://togithub.com/wycats/handlebars.js/commit/3a5b65e), [`dde108e`](https://togithub.com/wycats/handlebars.js/commit/dde108e), [`04b1984`](https://togithub.com/wycats/handlebars.js/commit/04b1984), [`587e7a3`](https://togithub.com/wycats/handlebars.js/commit/587e7a3) - restructur build commands - [`e913dc5`](https://togithub.com/wycats/handlebars.js/commit/e913dc5), - eslint rule changes - [`ac4655e`](https://togithub.com/wycats/handlebars.js/commit/ac4655e), [`dc54952`](https://togithub.com/wycats/handlebars.js/commit/dc54952) - Update (C) year in the LICENSE file - [`d1fb07b`](https://togithub.com/wycats/handlebars.js/commit/d1fb07b) - chore: try to fix saucelabs credentials ([#1627](https://togithub.com/wycats/handlebars.js/issues/1627)) - - Update readme.md with updated links ([#1620](https://togithub.com/wycats/handlebars.js/issues/1620)) - [`edcc84f`](https://togithub.com/wycats/handlebars.js/commit/edcc84f) BREAKING CHANGES: - access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See [#1633](https://togithub.com/wycats/handlebars.js/issues/1633) for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build. That is why we only bump the minor version despite mentioning breaking changes. [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.5.3...v4.6.0) ### [`v4.5.3`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v453---November-18th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.5.2...v4.5.3) Bugfixes: - fix: add "no-prototype-builtins" eslint-rule and fix all occurences - [`f7f05d7`](https://togithub.com/wycats/handlebars.js/commit/f7f05d7) - fix: add more properties required to be enumerable - [`1988878`](https://togithub.com/wycats/handlebars.js/commit/1988878) Chores / Build: - fix: use !== 0 instead of != 0 - [`c02b05f`](https://togithub.com/wycats/handlebars.js/commit/c02b05f) - add chai and dirty-chai and sinon, for cleaner test-assertions and spies, deprecate old assertion-methods - [`93e284e`](https://togithub.com/wycats/handlebars.js/commit/93e284e), [`886ba86`](https://togithub.com/wycats/handlebars.js/commit/886ba86), [`0817dad`](https://togithub.com/wycats/handlebars.js/commit/0817dad), [`93516a0`](https://togithub.com/wycats/handlebars.js/commit/93516a0) Security: - The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` have been added to the list of "properties that must be enumerable". If a property by that name is found and not enumerable on its parent, it will silently evaluate to `undefined`. This is done in both the compiled template and the "lookup"-helper. This will prevent new Remote-Code-Execution exploits that have been published recently. Compatibility notes: - Due to the security-fixes. The semantics of the templates using `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` in the respect that those expression now return `undefined` rather than their actual value from the proto. - The semantics have not changed in cases where the properties are enumerable, as in: ```js { __proto__: 'some string'; } ``` - The change may be breaking in that respect, but we still only increase the patch-version, because the incompatible use-cases are not intended, undocumented and far less important than fixing Remote-Code-Execution exploits on existing systems. [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.5.2...v4.5.3) ### [`v4.5.2`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v452---November-13th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.5.1...v4.5.2) ### [`v4.5.1`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v451---October-29th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.5.0...v4.5.1) Bugfixs - fix: move "eslint-plugin-compat" to devDependencies - [`5e9d17f`](https://togithub.com/wycats/handlebars.js/commit/5e9d17f) ([#1589](https://togithub.com/wycats/handlebars.js/issues/1589)) Compatibility notes: - No compatibility issues are to be expected [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.5.0...v4.5.1) ### [`v4.5.0`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v450---October-28th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.4.5...v4.5.0) Features / Improvements - Add method Handlebars.parseWithoutProcessing ([#1584](https://togithub.com/wycats/handlebars.js/issues/1584)) - [`62ed3c2`](https://togithub.com/wycats/handlebars.js/commit/62ed3c2) - add guard to if & unless helpers ([#1549](https://togithub.com/wycats/handlebars.js/issues/1549)) - show source location for the strict lookup exceptions - [`feb60f8`](https://togithub.com/wycats/handlebars.js/commit/feb60f8) Bugfixes: - Use objects for hash value tracking - [`7fcf9d2`](https://togithub.com/wycats/handlebars.js/commit/7fcf9d2) Chore: - Resolve deprecation warning message from eslint while running eslint ([#1586](https://togithub.com/wycats/handlebars.js/issues/1586)) - [`7052e88`](https://togithub.com/wycats/handlebars.js/commit/7052e88) - chore: add eslint-plugin-compat and eslint-plugin-es5 - [`088e618`](https://togithub.com/wycats/handlebars.js/commit/088e618) Compatibility notes: - No compatibility issues are to be expected [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.4.5...v4.5.0) ### [`v4.4.5`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v445---October-20th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.4.4...v4.4.5) Bugfixes: - Contents of raw-blocks must be matched with non-eager regex-matching - [`8d5530e`](https://togithub.com/wycats/handlebars.js/commit/8d5530e), [#1579](https://togithub.com/wycats/handlebars.js/issues/1579) [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.4.4...v4.4.5) ### [`v4.4.4`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v444---October-20th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.4.3...v4.4.4) Bugfixes: - fix: prevent zero length tokens in raw-blocks ([#1577](https://togithub.com/wycats/handlebars.js/issues/1577), [#1578](https://togithub.com/wycats/handlebars.js/issues/1578)) - [`f1752fe`](https://togithub.com/wycats/handlebars.js/commit/f1752fe) Chore: - chore: link to s3 bucket with https, add "npm ci" to build instructions - [`0b593bf`](https://togithub.com/wycats/handlebars.js/commit/0b593bf) Compatibility notes: - no compatibility issues are expected [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.4.3...v4.4.4) ### [`v4.4.3`](https://togithub.com/wycats/handlebars.js/blob/master/release-notes.md#v443---October-8th-2019) [Compare Source](https://togithub.com/wycats/handlebars.js/compare/v4.4.2...v4.4.3) Bugfixes Typings: - add missing type fields to AST typings and add tests for them - [`0440af2`](https://togithub.com/wycats/handlebars.js/commit/0440af2) [Commits](https://togithub.com/handlebars-lang/handlebars.js/compare/v4.4.2...v4.4.3)