Changelog
*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/v3.0.7/release-notes.md).*
> ## v3.0.7 - June 30th, 2019
> Security fixes:
>
> - [#1532](https://github-redirect.dependabot.com/wycats/handlebars.js/pull/1532) - Backport security fixes to 3.x branch ([@mattolson](https://api.github.com/users/mattolson))
>
> Housekeeping
>
> - disable saucelabs-tests since the tunnel is not working - 95f33b1
> - update grunt-saucelabs and aws dependency - 09aaa56
> - fix package.json of components/handlebars.js repo - 7cf753b
> - Fix Travis by updating git tag retrieval - 7c3944015d30a4348ae66ec1736b752cd864d5c1
> - Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - 7820b207e123babd0bda0b4871790f2ea6b36b01
>
> Tests:
>
> - test: run appveyor tests in Node 10 - 420ac171a01b8777ebce0a777221754fcc72a5a8
> - Fix build on Windows - 47adcda48530ab1504b8019fe17eaedd4f4c943f
>
>
> Compatibility notes:
>
> Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent
> Remote Code Execution. This means that following construct will no work anymore:
>
> ```
> class SomeClass {
> }
>
> SomeClass.staticProperty = 'static'
>
> var template = Handlebars.compile('{{constructor.staticProperty}}');
> document.getElementById('output').innerHTML = template(new SomeClass());
> // expected: 'static', but now this is empty.
> ```
>
> This kind of access is not the intended use of Handlebars and leads to the vulnerability described in [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
>
>
>
>
>
> [Commits](https://github.com/wycats/handlebars.js/compare/v3.0.6...v3.0.7)
Commits
- [`55e4d9d`](https://github.com/wycats/handlebars.js/commit/55e4d9d80d5dd834fcf53c528e7e0aa080f315a5) v3.0.7
- [`bae88eb`](https://github.com/wycats/handlebars.js/commit/bae88ebee929b48f408ca1a5a9b857ed22924934) Update release notes
- [`c131bab`](https://github.com/wycats/handlebars.js/commit/c131bab4e8bfd698e13d8b8b1f9d85c111d669b5) chore: remove TODO comment from Gruntfile to enable clean build
- [`95f33b1`](https://github.com/wycats/handlebars.js/commit/95f33b1e72f1ae4e46cd1d46a58232e00e813519) chore: disable saucelabs-tests since the tunnel is not working
- [`09aaa56`](https://github.com/wycats/handlebars.js/commit/09aaa56dcd4a0ae0df2d8f3a336612f6bf97286f) chore: update grunt-saucelabs and aws dependency
- [`0d6d8c3`](https://github.com/wycats/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac) Merge pull request [#1532](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1532) from mattolson/backport-security-fixes
- [`7c39440`](https://github.com/wycats/handlebars.js/commit/7c3944015d30a4348ae66ec1736b752cd864d5c1) Fix Travis by updating git tag retrieval
- [`7820b20`](https://github.com/wycats/handlebars.js/commit/7820b207e123babd0bda0b4871790f2ea6b36b01) Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul
- [`420ac17`](https://github.com/wycats/handlebars.js/commit/420ac171a01b8777ebce0a777221754fcc72a5a8) test: run appveyor tests in Node 10
- [`47adcda`](https://github.com/wycats/handlebars.js/commit/47adcda48530ab1504b8019fe17eaedd4f4c943f) Fix build on Windows
- Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v3.0.6...v3.0.7)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/machty/ember-concurrency/network/alerts).
Bumps handlebars from 3.0.6 to 3.0.7.
Changelog
*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/v3.0.7/release-notes.md).* > ## v3.0.7 - June 30th, 2019 > Security fixes: > > - [#1532](https://github-redirect.dependabot.com/wycats/handlebars.js/pull/1532) - Backport security fixes to 3.x branch ([@mattolson](https://api.github.com/users/mattolson)) > > Housekeeping > > - disable saucelabs-tests since the tunnel is not working - 95f33b1 > - update grunt-saucelabs and aws dependency - 09aaa56 > - fix package.json of components/handlebars.js repo - 7cf753b > - Fix Travis by updating git tag retrieval - 7c3944015d30a4348ae66ec1736b752cd864d5c1 > - Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - 7820b207e123babd0bda0b4871790f2ea6b36b01 > > Tests: > > - test: run appveyor tests in Node 10 - 420ac171a01b8777ebce0a777221754fcc72a5a8 > - Fix build on Windows - 47adcda48530ab1504b8019fe17eaedd4f4c943f > > > Compatibility notes: > > Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent > Remote Code Execution. This means that following construct will no work anymore: > > ``` > class SomeClass { > } > > SomeClass.staticProperty = 'static' > > var template = Handlebars.compile('{{constructor.staticProperty}}'); > document.getElementById('output').innerHTML = template(new SomeClass()); > // expected: 'static', but now this is empty. > ``` > > This kind of access is not the intended use of Handlebars and leads to the vulnerability described in [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems). > > > > > > [Commits](https://github.com/wycats/handlebars.js/compare/v3.0.6...v3.0.7)Commits
- [`55e4d9d`](https://github.com/wycats/handlebars.js/commit/55e4d9d80d5dd834fcf53c528e7e0aa080f315a5) v3.0.7 - [`bae88eb`](https://github.com/wycats/handlebars.js/commit/bae88ebee929b48f408ca1a5a9b857ed22924934) Update release notes - [`c131bab`](https://github.com/wycats/handlebars.js/commit/c131bab4e8bfd698e13d8b8b1f9d85c111d669b5) chore: remove TODO comment from Gruntfile to enable clean build - [`95f33b1`](https://github.com/wycats/handlebars.js/commit/95f33b1e72f1ae4e46cd1d46a58232e00e813519) chore: disable saucelabs-tests since the tunnel is not working - [`09aaa56`](https://github.com/wycats/handlebars.js/commit/09aaa56dcd4a0ae0df2d8f3a336612f6bf97286f) chore: update grunt-saucelabs and aws dependency - [`0d6d8c3`](https://github.com/wycats/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac) Merge pull request [#1532](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1532) from mattolson/backport-security-fixes - [`7c39440`](https://github.com/wycats/handlebars.js/commit/7c3944015d30a4348ae66ec1736b752cd864d5c1) Fix Travis by updating git tag retrieval - [`7820b20`](https://github.com/wycats/handlebars.js/commit/7820b207e123babd0bda0b4871790f2ea6b36b01) Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - [`420ac17`](https://github.com/wycats/handlebars.js/commit/420ac171a01b8777ebce0a777221754fcc72a5a8) test: run appveyor tests in Node 10 - [`47adcda`](https://github.com/wycats/handlebars.js/commit/47adcda48530ab1504b8019fe17eaedd4f4c943f) Fix build on Windows - Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v3.0.6...v3.0.7)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/machty/ember-concurrency/network/alerts).