Bumps handlebars from 4.0.12 to 4.1.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The npm Advisory Database](https://npmjs.com/advisories/755).*
> **Prototype Pollusion**
> All versions of `handlebars` are vulnerable to Prototype Pollusion. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
>
> Affected versions: <=4.0.12
Changelog
*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/v4.1.0/release-notes.md).*
> ## v4.1.0 - February 7th, 2019
> New Features
>
> - import TypeScript typings - 27ac1ee
>
> Security fixes:
>
> - disallow access to the constructor in templates to prevent RCE - 42841c4, [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495)
>
> Housekeeping
>
> - chore: fix components/handlebars package.json and auto-update on release - bacd473
> - chore: Use node 10 to build handlebars - 78dd89c
> - chore/doc: Add more release docs - 6b87c21
>
> Compatibility notes:
>
> Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent
> Remote Code Execution. This means that following construct will no work anymore:
>
> ```
> class SomeClass {
> }
>
> SomeClass.staticProperty = 'static'
>
> var template = Handlebars.compile('{{constructor.staticProperty}}');
> document.getElementById('output').innerHTML = template(new SomeClass());
> // expected: 'static', but now this is empty.
> ```
>
> This kind of access is not the intended use of Handlebars and leads to the vulnerability described in [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
>
>
>
> [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)
Commits
- [`7caca94`](https://github.com/wycats/handlebars.js/commit/7caca944b1ae64b5bc11cba67d21e4b51ba6196a) v4.1.0
- [`7bd34fb`](https://github.com/wycats/handlebars.js/commit/7bd34fb4662c69a86e654311ff317f5710c9c11e) Update release notes
- [`56fc676`](https://github.com/wycats/handlebars.js/commit/56fc6768d1231e8e4d7cd37ba0ff792a1db82f98) test: run appveyor tests in Node 10
- [`ee30222`](https://github.com/wycats/handlebars.js/commit/ee3022228b40ae595e1574923362d8a6db0ec2d7) chore: disable sauce-labs
- [`05e6293`](https://github.com/wycats/handlebars.js/commit/05e6293bb37979d39d020d233c42756c8132ad0e) chore: bump version of grunt-saucelabs
- [`2db0d12`](https://github.com/wycats/handlebars.js/commit/2db0d123c8501a7cf67b8252523ac3000c9c028f) chore: add .idea and yarn-error.log to .gitignore
- [`edc6220`](https://github.com/wycats/handlebars.js/commit/edc6220d51139b32c28e51641fadad59a543ae57) fix: disallow access to the constructor in templates to prevent RCE
- [`bacd473`](https://github.com/wycats/handlebars.js/commit/bacd473fe6cce76e16c69e2f7f49139062fffa03) chore: fix components/handlebars package.json and auto-update on release
- [`27ac1ee`](https://github.com/wycats/handlebars.js/commit/27ac1ee39637813bd1c634f73f5a4fd8a063bee7) Feat: Import TypeScript typings
- [`78dd89c`](https://github.com/wycats/handlebars.js/commit/78dd89c13aa26c82bf73d27b2e29f1c01283d7a4) chore: Use node 10 to build handlebars
- Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps handlebars from 4.0.12 to 4.1.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The npm Advisory Database](https://npmjs.com/advisories/755).* > **Prototype Pollusion** > All versions of `handlebars` are vulnerable to Prototype Pollusion. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. > > Affected versions: <=4.0.12Changelog
*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/v4.1.0/release-notes.md).* > ## v4.1.0 - February 7th, 2019 > New Features > > - import TypeScript typings - 27ac1ee > > Security fixes: > > - disallow access to the constructor in templates to prevent RCE - 42841c4, [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495) > > Housekeeping > > - chore: fix components/handlebars package.json and auto-update on release - bacd473 > - chore: Use node 10 to build handlebars - 78dd89c > - chore/doc: Add more release docs - 6b87c21 > > Compatibility notes: > > Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent > Remote Code Execution. This means that following construct will no work anymore: > > ``` > class SomeClass { > } > > SomeClass.staticProperty = 'static' > > var template = Handlebars.compile('{{constructor.staticProperty}}'); > document.getElementById('output').innerHTML = template(new SomeClass()); > // expected: 'static', but now this is empty. > ``` > > This kind of access is not the intended use of Handlebars and leads to the vulnerability described in [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems). > > > > [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)Commits
- [`7caca94`](https://github.com/wycats/handlebars.js/commit/7caca944b1ae64b5bc11cba67d21e4b51ba6196a) v4.1.0 - [`7bd34fb`](https://github.com/wycats/handlebars.js/commit/7bd34fb4662c69a86e654311ff317f5710c9c11e) Update release notes - [`56fc676`](https://github.com/wycats/handlebars.js/commit/56fc6768d1231e8e4d7cd37ba0ff792a1db82f98) test: run appveyor tests in Node 10 - [`ee30222`](https://github.com/wycats/handlebars.js/commit/ee3022228b40ae595e1574923362d8a6db0ec2d7) chore: disable sauce-labs - [`05e6293`](https://github.com/wycats/handlebars.js/commit/05e6293bb37979d39d020d233c42756c8132ad0e) chore: bump version of grunt-saucelabs - [`2db0d12`](https://github.com/wycats/handlebars.js/commit/2db0d123c8501a7cf67b8252523ac3000c9c028f) chore: add .idea and yarn-error.log to .gitignore - [`edc6220`](https://github.com/wycats/handlebars.js/commit/edc6220d51139b32c28e51641fadad59a543ae57) fix: disallow access to the constructor in templates to prevent RCE - [`bacd473`](https://github.com/wycats/handlebars.js/commit/bacd473fe6cce76e16c69e2f7f49139062fffa03) chore: fix components/handlebars package.json and auto-update on release - [`27ac1ee`](https://github.com/wycats/handlebars.js/commit/27ac1ee39637813bd1c634f73f5a4fd8a063bee7) Feat: Import TypeScript typings - [`78dd89c`](https://github.com/wycats/handlebars.js/commit/78dd89c13aa26c82bf73d27b2e29f1c01283d7a4) chore: Use node 10 to build handlebars - Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.