softvar / secure-ls

:lock: Secure localStorage data with high level of encryption and data compression
http://softvar.github.io/secure-ls
MIT License
646 stars 82 forks source link

Bump handlebars from 4.1.2 to 4.5.3 #35

Closed dependabot[bot] closed 4 years ago

dependabot[bot] commented 4 years ago

Bumps handlebars from 4.1.2 to 4.5.3.

Changelog *Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/master/release-notes.md).* > ## v4.5.3 - November 18th, 2019 > Bugfixes: > > - fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7 > - fix: add more properties required to be enumerable - 1988878 > > Chores / Build: > - fix: use !== 0 instead of != 0 - c02b05f > - add chai and dirty-chai and sinon, for cleaner test-assertions and spies, > deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0 > > Security: > > - The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` > have been added to the list of "properties that must be enumerable". > If a property by that name is found and not enumerable on its parent, > it will silently evaluate to `undefined`. This is done in both the compiled template and the "lookup"-helper. > This will prevent new Remote-Code-Execution exploits that have been > published recently. > > Compatibility notes: > > - Due to the security-fixes. The semantics of the templates using > `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` in the respect that those expression now return > `undefined` rather than their actual value from the proto. > - The semantics have not changed in cases where the properties are enumerable, as in: > > ```js > { > __proto__: 'some string' > } > ``` > > - The change may be breaking in that respect, but we still only > increase the patch-version, because the incompatible use-cases > are not intended, undocumented and far less important than fixing > Remote-Code-Execution exploits on existing systems. > > > > [Commits](https://github.com/wycats/handlebars.js/compare/v4.5.2...v4.5.3) > > ## v4.5.2 - November 13th, 2019 > # Bugfixes > > - fix: use String(field) in lookup when checking for "constructor" - d541378 > - test: add fluent API for testing Handlebars - c2ac79c > > Compatibility notes: > - no incompatibility are to be expected > ... (truncated)
Commits - [`c819c8b`](https://github.com/wycats/handlebars.js/commit/c819c8b533934d2ac18001d7eb27a3205b00c2f3) v4.5.3 - [`827c9d0`](https://github.com/wycats/handlebars.js/commit/827c9d0747bef7d7f89829779523b6b2dcf3051d) Update release notes - [`f7f05d7`](https://github.com/wycats/handlebars.js/commit/f7f05d7558e674856686b62a00cde5758f3b7a08) fix: add "no-prototype-builtins" eslint-rule and fix all occurences - [`1988878`](https://github.com/wycats/handlebars.js/commit/198887808780bbef9dba67a8af68ece091d5baa7) fix: add more properties required to be enumerable - [`886ba86`](https://github.com/wycats/handlebars.js/commit/886ba86c2f9cc71b7d99b9018fbe2d72a57085cc) test/chore: add chai/expect and sinon to "runtime"-environment - [`0817dad`](https://github.com/wycats/handlebars.js/commit/0817dad7e72c51d07f7700547d0c69aa79a4976b) test: add sinon as global variable to eslint in the specs - [`93516a0`](https://github.com/wycats/handlebars.js/commit/93516a0b07026ebd23c84fddf270a0c8b570bc59) test: add sinon.js for spies, deprecate current assertions - [`93e284e`](https://github.com/wycats/handlebars.js/commit/93e284ed9be1e38c5e6945f15af1ccd689f2ada6) chore: add chai and dirty-chai for better test assertions - [`c02b05f`](https://github.com/wycats/handlebars.js/commit/c02b05fa819f46bb66c878bebc6e8006408ebd5c) fix: use !== 0 instead of != 0 - [`8de121d`](https://github.com/wycats/handlebars.js/commit/8de121d21c88a6ab877e3a0eec9daaac483f3bf0) v4.5.2 - Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v4.1.2...v4.5.3)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/softvar/secure-ls/network/alerts).
coveralls commented 4 years ago

Coverage Status

Coverage remained the same at 86.46% when pulling 17b57c32b7d5a678776b27258d342af1230e3614 on dependabot/npm_and_yarn/handlebars-4.5.3 into 679c12d34d8fe8c03b604550855b1f1acfb6ccb9 on master.