Skip to content
This repository has been archived by the owner on Oct 11, 2024. It is now read-only.

fix(deps): update dependency handlebars to v4.1.2 [security] #466

Merged
merged 1 commit into from
Jun 10, 2019

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 5, 2019

This PR contains the following updates:

Package Type Update Change
handlebars (source) dependencies patch 4.1.1 -> 4.1.2

GitHub Vulnerability Alerts

GHSA-q42p-pg8m-cqh6

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.


Release Notes

wycats/handlebars.js

v4.1.2

Compare Source

Chore/Test:

  • #​1515 - Port over linting and test for typings (@​zimmi88)
  • chore: add missing typescript dependency, add package-lock.json - 594f1e3
  • test: remove safari from saucelabs - 871accc

Bugfixes:

  • fix: prevent RCE through the "lookup"-helper - cd38583

Compatibility notes:

Access to the constructor of a class thought {{lookup obj "constructor" }} is now prohibited. This closes
a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.

This kind of access is not the intended use of Handlebars and leads to the vulnerability described
in #​1495. We will not increase the major version, because such use is not intended or documented,
and because of the potential impact of the issue (we fear that most people won't use a new major version
and the issue may not be resolved on many systems).

Commits


Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻️ Rebasing: Whenever PR is stale, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot. View repository job log here.

@renovate renovate bot added the renovate label Jun 5, 2019
@renovate renovate bot force-pushed the renovate/npm-handlebars-vulnerability branch from dde099b to 486d8ac Compare June 7, 2019 08:02
@coveralls
Copy link

coveralls commented Jun 7, 2019

Coverage Status

Coverage remained the same at 32.504% when pulling 86bf6bb on renovate/npm-handlebars-vulnerability into 3249c12 on master.

@renovate renovate bot force-pushed the renovate/npm-handlebars-vulnerability branch from 486d8ac to 86bf6bb Compare June 7, 2019 08:10
@stoffeastrom stoffeastrom merged commit 8028fec into master Jun 10, 2019
@stoffeastrom stoffeastrom deleted the renovate/npm-handlebars-vulnerability branch June 10, 2019 20:04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants