Changelog
*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/master/release-notes.md).*
> ## v4.5.3 - November 18th, 2019
> Bugfixes:
>
> - fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7
> - fix: add more properties required to be enumerable - 1988878
>
> Chores / Build:
> - fix: use !== 0 instead of != 0 - c02b05f
> - add chai and dirty-chai and sinon, for cleaner test-assertions and spies,
> deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0
>
> Security:
>
> - The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__`
> have been added to the list of "properties that must be enumerable".
> If a property by that name is found and not enumerable on its parent,
> it will silently evaluate to `undefined`. This is done in both the compiled template and the "lookup"-helper.
> This will prevent new Remote-Code-Execution exploits that have been
> published recently.
>
> Compatibility notes:
>
> - Due to the security-fixes. The semantics of the templates using
> `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` in the respect that those expression now return
> `undefined` rather than their actual value from the proto.
> - The semantics have not changed in cases where the properties are enumerable, as in:
>
> ```js
> {
> __proto__: 'some string'
> }
> ```
>
> - The change may be breaking in that respect, but we still only
> increase the patch-version, because the incompatible use-cases
> are not intended, undocumented and far less important than fixing
> Remote-Code-Execution exploits on existing systems.
>
>
>
> [Commits](https://github.com/wycats/handlebars.js/compare/v4.5.2...v4.5.3)
>
> ## v4.5.2 - November 13th, 2019
> # Bugfixes
>
> - fix: use String(field) in lookup when checking for "constructor" - d541378
> - test: add fluent API for testing Handlebars - c2ac79c
>
> Compatibility notes:
> - no incompatibility are to be expected
> ... (truncated)
Commits
- [`c819c8b`](https://github.com/wycats/handlebars.js/commit/c819c8b533934d2ac18001d7eb27a3205b00c2f3) v4.5.3
- [`827c9d0`](https://github.com/wycats/handlebars.js/commit/827c9d0747bef7d7f89829779523b6b2dcf3051d) Update release notes
- [`f7f05d7`](https://github.com/wycats/handlebars.js/commit/f7f05d7558e674856686b62a00cde5758f3b7a08) fix: add "no-prototype-builtins" eslint-rule and fix all occurences
- [`1988878`](https://github.com/wycats/handlebars.js/commit/198887808780bbef9dba67a8af68ece091d5baa7) fix: add more properties required to be enumerable
- [`886ba86`](https://github.com/wycats/handlebars.js/commit/886ba86c2f9cc71b7d99b9018fbe2d72a57085cc) test/chore: add chai/expect and sinon to "runtime"-environment
- [`0817dad`](https://github.com/wycats/handlebars.js/commit/0817dad7e72c51d07f7700547d0c69aa79a4976b) test: add sinon as global variable to eslint in the specs
- [`93516a0`](https://github.com/wycats/handlebars.js/commit/93516a0b07026ebd23c84fddf270a0c8b570bc59) test: add sinon.js for spies, deprecate current assertions
- [`93e284e`](https://github.com/wycats/handlebars.js/commit/93e284ed9be1e38c5e6945f15af1ccd689f2ada6) chore: add chai and dirty-chai for better test assertions
- [`c02b05f`](https://github.com/wycats/handlebars.js/commit/c02b05fa819f46bb66c878bebc6e8006408ebd5c) fix: use !== 0 instead of != 0
- [`8de121d`](https://github.com/wycats/handlebars.js/commit/8de121d21c88a6ab877e3a0eec9daaac483f3bf0) v4.5.2
- Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v4.1.2...v4.5.3)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kpman/newsroom/network/alerts).
Bumps handlebars from 4.1.2 to 4.5.3.
Changelog
*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/master/release-notes.md).* > ## v4.5.3 - November 18th, 2019 > Bugfixes: > > - fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7 > - fix: add more properties required to be enumerable - 1988878 > > Chores / Build: > - fix: use !== 0 instead of != 0 - c02b05f > - add chai and dirty-chai and sinon, for cleaner test-assertions and spies, > deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0 > > Security: > > - The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` > have been added to the list of "properties that must be enumerable". > If a property by that name is found and not enumerable on its parent, > it will silently evaluate to `undefined`. This is done in both the compiled template and the "lookup"-helper. > This will prevent new Remote-Code-Execution exploits that have been > published recently. > > Compatibility notes: > > - Due to the security-fixes. The semantics of the templates using > `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` in the respect that those expression now return > `undefined` rather than their actual value from the proto. > - The semantics have not changed in cases where the properties are enumerable, as in: > > ```js > { > __proto__: 'some string' > } > ``` > > - The change may be breaking in that respect, but we still only > increase the patch-version, because the incompatible use-cases > are not intended, undocumented and far less important than fixing > Remote-Code-Execution exploits on existing systems. > > > > [Commits](https://github.com/wycats/handlebars.js/compare/v4.5.2...v4.5.3) > > ## v4.5.2 - November 13th, 2019 > # Bugfixes > > - fix: use String(field) in lookup when checking for "constructor" - d541378 > - test: add fluent API for testing Handlebars - c2ac79c > > Compatibility notes: > - no incompatibility are to be expected > ... (truncated)Commits
- [`c819c8b`](https://github.com/wycats/handlebars.js/commit/c819c8b533934d2ac18001d7eb27a3205b00c2f3) v4.5.3 - [`827c9d0`](https://github.com/wycats/handlebars.js/commit/827c9d0747bef7d7f89829779523b6b2dcf3051d) Update release notes - [`f7f05d7`](https://github.com/wycats/handlebars.js/commit/f7f05d7558e674856686b62a00cde5758f3b7a08) fix: add "no-prototype-builtins" eslint-rule and fix all occurences - [`1988878`](https://github.com/wycats/handlebars.js/commit/198887808780bbef9dba67a8af68ece091d5baa7) fix: add more properties required to be enumerable - [`886ba86`](https://github.com/wycats/handlebars.js/commit/886ba86c2f9cc71b7d99b9018fbe2d72a57085cc) test/chore: add chai/expect and sinon to "runtime"-environment - [`0817dad`](https://github.com/wycats/handlebars.js/commit/0817dad7e72c51d07f7700547d0c69aa79a4976b) test: add sinon as global variable to eslint in the specs - [`93516a0`](https://github.com/wycats/handlebars.js/commit/93516a0b07026ebd23c84fddf270a0c8b570bc59) test: add sinon.js for spies, deprecate current assertions - [`93e284e`](https://github.com/wycats/handlebars.js/commit/93e284ed9be1e38c5e6945f15af1ccd689f2ada6) chore: add chai and dirty-chai for better test assertions - [`c02b05f`](https://github.com/wycats/handlebars.js/commit/c02b05fa819f46bb66c878bebc6e8006408ebd5c) fix: use !== 0 instead of != 0 - [`8de121d`](https://github.com/wycats/handlebars.js/commit/8de121d21c88a6ab877e3a0eec9daaac483f3bf0) v4.5.2 - Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v4.1.2...v4.5.3)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kpman/newsroom/network/alerts).