Browse Source

[Security] Bump handlebars from 4.0.12 to 4.1.0 (#173)

Bumps [handlebars](https://github.com/wycats/handlebars.js) from 4.0.12 to 4.1.0. **This update includes security fixes.**
<details>
<summary>Vulnerabilities fixed</summary>

*Sourced from [The npm Advisory Database](https://npmjs.com/advisories/755).*

> **Prototype Pollusion**
> All versions of `handlebars` are vulnerable to Prototype Pollusion. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
> 
> Affected versions: <=4.0.12

</details>
<details>
<summary>Changelog</summary>

*Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/v4.1.0/release-notes.md).*

> ## v4.1.0 - February 7th, 2019
> New Features
> 
> - import TypeScript typings - 27ac1ee
> 
> Security fixes:
> 
> - disallow access to the constructor in templates to prevent RCE - 42841c4, [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495)
> 
> Housekeeping
> 
> - chore: fix components/handlebars package.json and auto-update on release - bacd473
> - chore: Use node 10 to build handlebars - 78dd89c
> - chore/doc: Add more release docs - 6b87c21
> 
> Compatibility notes:
> 
> Access to class constructors (i.e. `({}).constructor`) is now prohibited to prevent
> Remote Code Execution. This means that following construct will no work anymore:
> 
> ```
> class SomeClass {
> }
> 
> SomeClass.staticProperty = 'static'
> 
> var template = Handlebars.compile('{{constructor.staticProperty}}');
> document.getElementById('output').innerHTML = template(new SomeClass());
> // expected: 'static', but now this is empty.
> ```
> 
> This kind of access is not the intended use of Handlebars and leads to the vulnerability described in [#1495](https://github-redirect.dependabot.com/wycats/handlebars.js/issues/1495). We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).
> 
> 
> 
> [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)
</details>
<details>
<summary>Commits</summary>

- [`7caca94`](7caca944b1) v4.1.0
- [`7bd34fb`](7bd34fb466) Update release notes
- [`56fc676`](56fc6768d1) test: run appveyor tests in Node 10
- [`ee30222`](ee3022228b) chore: disable sauce-labs
- [`05e6293`](05e6293bb3) chore: bump version of grunt-saucelabs
- [`2db0d12`](2db0d123c8) chore: add .idea and yarn-error.log to .gitignore
- [`edc6220`](edc6220d51) fix: disallow access to the constructor in templates to prevent RCE
- [`bacd473`](bacd473fe6) chore: fix components/handlebars package.json and auto-update on release
- [`27ac1ee`](27ac1ee396) Feat: Import TypeScript typings
- [`78dd89c`](78dd89c13a) chore: Use node 10 to build handlebars
- Additional commits viewable in [compare view](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0)
</details>
<br />

[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=handlebars&package-manager=npm_and_yarn&previous-version=4.0.12&new-version=4.1.0)](https://dependabot.com/compatibility-score.html?dependency-name=handlebars&package-manager=npm_and_yarn&previous-version=4.0.12&new-version=4.1.0)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

</details>
pull/175/head
dependabot[bot] 6 years ago committed by Ned Zimmerman
parent
commit
dafbb6cbe3
  1. 14
      package-lock.json

14
package-lock.json generated

@ -7684,9 +7684,9 @@
"dev": true
},
"handlebars": {
"version": "4.0.12",
"resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz",
"integrity": "sha512-RhmTekP+FZL+XNhwS1Wf+bTTZpdLougwt5pcgA1tuz6Jcx0fpH/7z0qd71RKnZHBCxIRBHfBOnio4gViPemNzA==",
"version": "4.1.0",
"resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz",
"integrity": "sha512-l2jRuU1NAWK6AW5qqcTATWQJvNPEwkM7NEKSiv/gqOsoSQbVoWyqVEY5GS+XPQ88zLNmqASRpzfdm8d79hJS+w==",
"requires": {
"async": "^2.5.0",
"optimist": "^0.6.1",
@ -7695,11 +7695,11 @@
},
"dependencies": {
"async": {
"version": "2.6.1",
"resolved": "https://registry.npmjs.org/async/-/async-2.6.1.tgz",
"integrity": "sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ==",
"version": "2.6.2",
"resolved": "https://registry.npmjs.org/async/-/async-2.6.2.tgz",
"integrity": "sha512-H1qVYh1MYhEEFLsP97cVKqCGo7KfCyTt6uEWqsTBr9SO84oK9Uwbyd/yCW+6rKJLHksBNUVWZDAjfS+Ccx0Bbg==",
"requires": {
"lodash": "^4.17.10"
"lodash": "^4.17.11"
}
},
"lodash": {

Loading…
Cancel
Save