deps: express-hbs@1.0.0

refs TryGhost#2459

This includes updating handlebars to v4 as well as other fixes which
will introduce breaking changes to the theme API:

From express-hbs:
- partials must now use the `.hbs` extension, the same as templates
From handlebars:
- Depthed paths are now conditionally pushed on to the stack.
If the helper uses the same context, then a new stack is not created.
This leads to behavior that better matches expectations for helpers
like if that do not seem to alter the context. Any instances of ../
in templates will need to be checked for the correct behavior under 4.0.0.
In general templates will either reduce the number of ../ instances
or leave them as is. See TryGhost#1028.
- The = character is now HTML escaped. This closes a potential exploit
case when using unquoted attributes, i.e. <div foo={{bar}}>. In general
it's recommended that attributes always be quoted when their values are
generated from a mustache to avoid any potential exploit surfaces.

package.json

@@ -38,7 +38,7 @@
     "cors": "2.7.1",
     "downsize": "0.0.8",
     "express": "4.13.4",
-    "express-hbs": "0.8.4",
+    "express-hbs": "1.0.0",
     "extract-zip": "1.4.1",
     "fs-extra": "0.26.5",
     "ghost-gql": "0.0.4",