diff --git a/release-notes.md b/release-notes.md index 199c39bf5..d75b32024 100644 --- a/release-notes.md +++ b/release-notes.md @@ -2,173 +2,223 @@ ## Development -[Commits](https://github.com/wycats/handlebars.js/compare/v4.5.3...master) +[Commits](https://github.com/wycats/handlebars.js/compare/v4.6.0...master) + +## v4.6.0 - January 8th, 2020 + +Features: + +- feat: access control to prototype properties via whitelist (#1633)- d03b6ec + +Bugfixes: + +- fix(runtime.js): partials compile not caching (#1600) - 23d58e7 + +Chores, docs: + +- various refactorings and improvements to tests - d7f0dcf, 187d611, d337f40 +- modernize the build-setup + - use prettier to format and eslint to verify - c40d9f3, 8901c28, e97685e, 1f61f21 + - use nyc instead of istanbul to collect coverage - 164b7ff, 1ebce2b + - update build code to use modern javascript and make it cleaner - 14b621c, 1ec1737, 3a5b65e, dde108e, 04b1984, 587e7a3 + - restructur build commands - e913dc5, +- eslint rule changes - ac4655e, dc54952 +- Update (C) year in the LICENSE file - d1fb07b +- chore: try to fix saucelabs credentials (#1627) - +- Update readme.md with updated links (#1620) - edcc84f + +BREAKING CHANGES: + +- access to prototype properties is forbidden completely by default, + specific properties or methods can be allow via runtime-options. + See #1633 for details. + If you are using Handlebars as documented, you should not be accessing prototype + properties from your template anyway, so the changes should not be a problem + for you. Only the use of undocumented features can break your build. + + That is why we only bump the minor version despite mentioning breaking changes + +[Commits](https://github.com/wycats/handlebars.js/compare/v4.5.3...v4.6.0) ## v4.5.3 - November 18th, 2019 + Bugfixes: - fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7 - fix: add more properties required to be enumerable - 1988878 Chores / Build: + - fix: use !== 0 instead of != 0 - c02b05f -- add chai and dirty-chai and sinon, for cleaner test-assertions and spies, - deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0 +- add chai and dirty-chai and sinon, for cleaner test-assertions and spies, + deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0 Security: -- The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` +- The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` have been added to the list of "properties that must be enumerable". - If a property by that name is found and not enumerable on its parent, - it will silently evaluate to `undefined`. This is done in both the compiled template and the "lookup"-helper. + If a property by that name is found and not enumerable on its parent, + it will silently evaluate to `undefined`. This is done in both the compiled template and the "lookup"-helper. This will prevent new Remote-Code-Execution exploits that have been published recently. -Compatibility notes: +Compatibility notes: - Due to the security-fixes. The semantics of the templates using - `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` in the respect that those expression now return + `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` in the respect that those expression now return `undefined` rather than their actual value from the proto. -- The semantics have not changed in cases where the properties are enumerable, as in: +- The semantics have not changed in cases where the properties are enumerable, as in: ```js { - __proto__: 'some string' + __proto__: 'some string'; } ``` -- The change may be breaking in that respect, but we still only +- The change may be breaking in that respect, but we still only increase the patch-version, because the incompatible use-cases are not intended, undocumented and far less important than fixing Remote-Code-Execution exploits on existing systems. - - [Commits](https://github.com/wycats/handlebars.js/compare/v4.5.2...v4.5.3) ## v4.5.2 - November 13th, 2019 + # Bugfixes - fix: use String(field) in lookup when checking for "constructor" - d541378 - test: add fluent API for testing Handlebars - c2ac79c Compatibility notes: + - no incompatibility are to be expected [Commits](https://github.com/wycats/handlebars.js/compare/v4.5.1...v4.5.2) ## v4.5.1 - October 29th, 2019 + Bugfixs - fix: move "eslint-plugin-compat" to devDependencies - 5e9d17f (#1589) Compatibility notes: -- No compatibility issues are to be expected +- No compatibility issues are to be expected [Commits](https://github.com/wycats/handlebars.js/compare/v4.5.0...v4.5.1) ## v4.5.0 - October 28th, 2019 + Features / Improvements + - Add method Handlebars.parseWithoutProcessing (#1584) - 62ed3c2 - add guard to if & unless helpers (#1549) - show source location for the strict lookup exceptions - feb60f8 Bugfixes: + - Use objects for hash value tracking - 7fcf9d2 Chore: + - Resolve deprecation warning message from eslint while running eslint (#1586) - 7052e88 - chore: add eslint-plugin-compat and eslint-plugin-es5 - 088e618 Compatibility notes: + - No compatibility issues are to be expected [Commits](https://github.com/wycats/handlebars.js/compare/v4.4.5...v4.5.0) ## v4.4.5 - October 20th, 2019 -Bugfixes: - -- Contents of raw-blocks must be matched with non-eager regex-matching - 8d5530e, #1579 +Bugfixes: +- Contents of raw-blocks must be matched with non-eager regex-matching - 8d5530e, #1579 [Commits](https://github.com/wycats/handlebars.js/compare/v4.4.4...v4.4.5) ## v4.4.4 - October 20th, 2019 + Bugfixes: + - fix: prevent zero length tokens in raw-blocks (#1577, #1578) - f1752fe -Chore: +Chore: + - chore: link to s3 bucket with https, add "npm ci" to build instructions - 0b593bf Compatibility notes: + - no compatibility issues are expected [Commits](https://github.com/wycats/handlebars.js/compare/v4.4.3...v4.4.4) ## v4.4.3 - October 8th, 2019 + Bugfixes Typings: -- add missing type fields to AST typings and add tests for them - 0440af2 - +- add missing type fields to AST typings and add tests for them - 0440af2 [Commits](https://github.com/wycats/handlebars.js/compare/v4.4.2...v4.4.3) ## v4.4.2 - October 2nd, 2019 -- chore: fix grunt-saucelabs dependency - b7eada0 +- chore: fix grunt-saucelabs dependency - b7eada0 [Commits](https://github.com/wycats/handlebars.js/compare/v4.4.1...v4.4.2) ## v4.4.1 - October 2nd, 2019 -- [#1562](https://github.com/wycats/handlebars.js/issues/1562) - Error message for syntax error missing location in 4.2.1+ - +- [#1562](https://github.com/wycats/handlebars.js/issues/1562) - Error message for syntax error missing location in 4.2.1+ [Commits](https://github.com/wycats/handlebars.js/compare/v4.4.0...v4.4.1) ## v4.4.0 - September 29th, 2019 -- Added support for iterable objects in {{#each}} helper (#1557) - cf7545e +- Added support for iterable objects in {{#each}} helper (#1557) - cf7545e [Commits](https://github.com/wycats/handlebars.js/compare/v4.3.4...v4.4.0) ## v4.3.4 - September 28th, 2019 + - fix: harden "propertyIsEnumerable"-check - ff4d827 Compatibility notes: + - No incompatibilities are known. [Commits](https://github.com/wycats/handlebars.js/compare/v4.3.3...v4.3.4) ## v4.3.3 - September 27th, 2019 - - fix test case for browsers that do not support __defineGetter__ - 8742bde +- fix test case for browsers that do not support **defineGetter** - 8742bde [Commits](https://github.com/wycats/handlebars.js/compare/v4.3.2...v4.3.3) ## v4.3.2 - September 26th, 2019 + - Use Object.prototype.propertyIsEnumerable to check for constructors - 213c0bb, #1563 Compatibility notes: + - There are no breaking changes [Commits](https://github.com/wycats/handlebars.js/compare/v4.3.1...v4.3.2) ## v4.3.1 - September 25th, 2019 + Fixes: - do not break on precompiled templates from Handlebars >=4.0.0 <4.3.0 - 1266838, #1561 - Ensure allowCallsToHelperMissing runtime option is optional in typings - 93444c5, 64ecb9e, #1560 - - [Commits](https://github.com/wycats/handlebars.js/compare/v4.3.0...v4.3.1) ## v4.3.0 - September 24th, 2019 + Fixes: - Security: Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72 @@ -181,18 +231,20 @@ Features: Breaking changes: Compatibility notes: + - Compiler revision increased - 06b7224 + - This means that template compiled with versions prior to 4.3.0 will not work with runtimes >= 4.3.0 The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest that you always recompile your templates with the latest compiler in your build pipelines. - Disallow calling "helperMissing" and "blockHelperMissing" directly - 2078c72 - - Calling "helperMissing" and "blockHelperMissing" directly from a template (like in `{{blockHelperMissing}}` was - never intended and was part of the exploits that have been revealed early in 2019 - (see https://github.com/wycats/handlebars.js/issues/1495). *It is also part of a new exploit that - is not captured by the earlier fix.* In order to harden Handlebars against such exploits, calling thos helpers - is now not possible anymore. *Overriding* those helpers is still possible. + - Calling "helperMissing" and "blockHelperMissing" directly from a template (like in `{{blockHelperMissing}}` was + never intended and was part of the exploits that have been revealed early in 2019 + (see https://github.com/wycats/handlebars.js/issues/1495). _It is also part of a new exploit that + is not captured by the earlier fix._ In order to harden Handlebars against such exploits, calling thos helpers + is now not possible anymore. _Overriding_ those helpers is still possible. - If you really need this behavior, you can set the runtime option `allowCallsToHelperMissing` to `true` and the calls will again be possible @@ -200,86 +252,97 @@ Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, We consider it more important to resolve a major security issue than to maintain 100% compatibility. - - [Commits](https://github.com/wycats/handlebars.js/compare/v4.2.1...v4.3.0) ## v4.2.1 - September 20th, 2019 -Bugfixes: + +Bugfixes: - The "browser" property in the package.json has been updated to use the common-js builds instead of the minified UMD - c55a7be, #1553 Compatibility notes: + - No compatibility issues should arise [Commits](https://github.com/wycats/handlebars.js/compare/v4.2.0...v4.2.1) ## v4.2.0 - September 3rd, 2019 + Chore/Test: + - Use custom `grunt-saucelab` with current sauce-connect proxy - f119497 - Add framework for various integration tests - f9cce4d - Add integration test for webpack - a57b682 - Bugfixes: + - [#1544](https://github.com/wycats/handlebars.js/issues/1544) - Typescript types: `knownHelpers` doesnt allow for custom helpers ([@NickCis](https://api.github.com/users/NickCis)) - [#1534](https://github.com/wycats/handlebars.js/pull/1534) - Add typings for "Handlebars.VM.resolvePartial ([@AndrewLeedham](https://api.github.com/users/AndrewLeedham)) Features: + - [#1540](https://github.com/wycats/handlebars.js/pull/1540) - added "browser"-property to package.json, resolves #1102 ([@ouijan](https://api.github.com/users/ouijan)) Compatibility notes: -- The new "browser"-property should not break anything, but you can never be sure. The integration test for webpack - shows that it works, but if it doesn't please open an issue. - +- The new "browser"-property should not break anything, but you can never be sure. The integration test for webpack + shows that it works, but if it doesn't please open an issue. [Commits](https://github.com/wycats/handlebars.js/compare/v4.1.2-0...v4.2.0) ## v4.1.2-0 - August 25th, 2019 + [#1540](https://github.com/wycats/handlebars.js/pull/1540) - added browser to package.json, resolves #1102 ([@ouijan](https://api.github.com/users/ouijan)) Compatibility notes: + - We are not sure if imports via webpack are still working, which is why this release is a pre-release [Commits](https://github.com/wycats/handlebars.js/compare/v4.1.2...v4.1.2-0) ## v4.1.2 - April 13th, 2019 + Chore/Test: + - [#1515](https://github.com/wycats/handlebars.js/pull/1515) - Port over linting and test for typings ([@zimmi88](https://api.github.com/users/zimmi88)) - chore: add missing typescript dependency, add package-lock.json - 594f1e3 - test: remove safari from saucelabs - 871accc -Bugfixes: +Bugfixes: + - fix: prevent RCE through the "lookup"-helper - cd38583 Compatibility notes: -Access to the constructor of a class thought `{{lookup obj "constructor" }}` is now prohibited. This closes +Access to the constructor of a class thought `{{lookup obj "constructor" }}` is now prohibited. This closes a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility. This kind of access is not the intended use of Handlebars and leads to the vulnerability described -in #1495. We will **not** increase the major version, because such use is not intended or documented, +in #1495. We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version -and the issue may not be resolved on many systems). +and the issue may not be resolved on many systems). [Commits](https://github.com/wycats/handlebars.js/compare/v4.1.1...v4.1.2) ## v4.1.1 - March 16th, 2019 + Bugfixes: + - fix: add "runtime.d.ts" to allow "require('handlebars/runtime')" in TypeScript - 5cedd62 Refactorings: + - replace "async" with "neo-async" - 048f2ce - use "substring"-function instead of "substr" - 445ae12 Compatibility notes: -- This is a bugfix release. There are no breaking change and no new features. +- This is a bugfix release. There are no breaking change and no new features. [Commits](https://github.com/wycats/handlebars.js/compare/v4.1.0...v4.1.1) ## v4.1.0 - February 7th, 2019 + New Features - import TypeScript typings - 27ac1ee @@ -312,11 +375,10 @@ document.getElementById('output').innerHTML = template(new SomeClass()); This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will **not** increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems). - - [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.12...v4.1.0) ## v4.0.12 - September 4th, 2018 + New features: - none @@ -341,24 +403,26 @@ Removed obsolete code: - Update jsfiddle to 4.0.11 - 8947dd0 Compatibility notes: + - No compatibility issues are to be expected [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.11...v4.0.12) ## v4.0.11 - October 17th, 2017 + - [#1391](https://github.com/wycats/handlebars.js/issues/1391) - `uglify-js` is unconditionally imported, but only listed as optional dependency ([@Turbo87](https://github.com/Turbo87)) - [#1233](https://github.com/wycats/handlebars.js/issues/1233) - Unable to build under windows - error at test:bin task ([@blikblum](https://github.com/blikblum)) - Update (C) year in the LICENSE file - 21386b6 Compatibility notes: + - This is a bugfix release. There are no breaking change and no new features. [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.10...v4.0.11) ## v4.0.10 - May 21st, 2017 -- Fix regression in 4.0.9: Replace "Object.assign" (not support in IE) by "util/extend" - 0e953d1 - +- Fix regression in 4.0.9: Replace "Object.assign" (not support in IE) by "util/extend" - 0e953d1 [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.9...v4.0.10) @@ -367,30 +431,34 @@ Compatibility notes: - [#1327](https://github.com/wycats/handlebars.js/issues/1327) Handlebars.compile() does not modify "options" anymore - pending [#1331](https://github.com/wycats/handlebars.js/issues/1331) Attempts to build Handlebars in a Windows environment - Fix build in windows - cc554a5 - - Ensure LF line-edings in handlebars-template fixtures (*.hbs) - ed879a6 + - Ensure LF line-edings in handlebars-template fixtures (\*.hbs) - ed879a6 - Run integration test with `node handlebars -a ...` on Windows - 2e21e2b - - Ensure LF line-edings in lexer-files (*.l) - bdfdbea + - Ensure LF line-edings in lexer-files (\*.l) - bdfdbea - Force LF line-endings for spec/artifacts - b50ef03 - Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - 6e6269f - TravisCI: Publish valid semver tags independently of the branch - 7378f85 Compatibility notes: + - No compatibility issues are expected. [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.8...v4.0.9) ## v4.0.8 - May 2nd, 2017 + - [#1341](https://github.com/wycats/handlebars.js/issues/1341) [#1342](https://github.com/wycats/handlebars.js/issues/1342) Allow partial-blocks to be executed without "options" ([@nknapp](https://github.com/nknapp)) - a00c598 Compatibility notes: + - No breaking changes [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.7...v4.0.8) ## v4.0.7 - April 29th, 2017 + - [#1319](https://github.com/wycats/handlebars.js/issues/1319): Fix context-stack when calling block-helpers on null values ([@nknapp](https://github.com/nknapp)) - c8f4b57 - [#1315](https://github.com/wycats/handlebars.js/pull/1315) Parser: Change suffix to use ES6 default module export ([@Turbo87](https://github.com/Turbo87))- b617375 -- [#1290](https://github.com/wycats/handlebars.js/pull/1290) [#1252](https://github.com/wycats/handlebars.js/issue/1290) Add more tests for partial-blocks and inline partials ([@nknapp](https://github.com/nknapp)) - 63a8e0c +- [#1290](https://github.com/wycats/handlebars.js/pull/1290) [#1252](https://github.com/wycats/handlebars.js/issue/1290) Add more tests for partial-blocks and inline partials ([@nknapp](https://github.com/nknapp)) - 63a8e0c - [#1252](https://github.com/wycats/handlebars.js/issue/1290) Using @partial-block twice in a template not possible ([@nknapp](https://github.com/nknapp)) - 5a164d0 - [#1310](https://github.com/wycats/handlebars.js/pull/1310) Avoid duplicate "sourceMappingURL=" lines. ([@joonas-lahtinen](https://github.com/joonas-lahtinen)) - 01b0f65 - [#1275](https://github.com/wycats/handlebars.js/pull/1275) require('sys') is deprecated, using 'util' instead ([@travnels](https://github.com/travnels)) - 406f2ee @@ -400,6 +468,7 @@ Compatibility notes: [Commits](https://github.com/lawnsea/handlebars.js/compare/v4.0.6...v4.0.7) ## v4.0.6 - November 12th, 2016 + - [#1243](https://github.com/wycats/handlebars.js/pull/1243) - Walk up data frames for nested @partial-block ([@lawnsea](https://github.com/lawnsea)) - [#1210](https://github.com/wycats/handlebars.js/pull/1210) - Add a new lightweight package based on handlebars in the README ([@kabirbaidhya](https://github.com/kabirbaidhya)) - [#1187](https://github.com/wycats/handlebars.js/pull/1187) - Ensure that existing blockParams and depths are respected on dupe programs ([@charleso](https://github.com/charleso)) @@ -407,7 +476,7 @@ Compatibility notes: - [#1177](https://github.com/wycats/handlebars.js/pull/1177) - Preserve License info in Closure Compiler ([@gennadiylitvinyuk](https://github.com/gennadiylitvinyuk)) - [#1171](https://github.com/wycats/handlebars.js/pull/1171) - Contributing doc fix: failing thats -> failing tests ([@paulfalgout](https://github.com/paulfalgout)) - [#1166](https://github.com/wycats/handlebars.js/pull/1166) - Update license date ([@timwangdev](https://github.com/timwangdev)) -- Update jsfiddle to point to latest - 959ee55 (originally dfc7554 by [@kpdecker](https://github.com/kpdecker)) +- Update jsfiddle to point to latest - 959ee55 (originally dfc7554 by [@kpdecker](https://github.com/kpdecker)) - [#1163](https://github.com/wycats/handlebars.js/pull/1163) - Fix typos on decorators-api.md. ([@adjohnson916](https://github.com/adjohnson916)) - Drop extra Error params - 8c19874 (originally 63fdb92 by [@kpdecker](https://github.com/kpdecker)) - [#1153](https://github.com/wycats/handlebars.js/pull/1153) - Add documentation for running tests to contributing.md ([@ryanmurakami](https://github.com/ryanmurakami)) @@ -421,6 +490,7 @@ Compatibility notes: [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.5...v4.0.6) ## v4.0.5 - November 19th, 2015 + - [#1132](https://github.com/wycats/handlebars.js/pull/1132) - Update uglify-js to avoid vulnerability ([@plynchnlm](https://github.com/plynchnlm)) - [#1129](https://github.com/wycats/handlebars.js/issues/1129) - Minified lib returns an empty string ([@bricss](https://github.com/bricss)) - Return current handlebars instance from noConflict - 685cf92 @@ -433,12 +503,14 @@ Compatibility notes: [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.4...v4.0.5) ## v4.0.4 - October 29th, 2015 + - [#1121](https://github.com/wycats/handlebars.js/pull/1121) - Include partial name in 'undefined partial' exception message ([@shinypb](https://github.com/shinypb)) - [#1125](https://github.com/wycats/handlebars.js/pull/1125) - Add promised-handlebars to "in-the-wild"-list ([@nknapp](https://github.com/nknapp)) [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.3...v4.0.4) ## v4.0.3 - September 23rd, 2015 + - [#1099](https://github.com/wycats/handlebars.js/issues/1099) - @partial-block is overridden ([@btmorex](https://github.com/btmorex)) - [#1093](https://github.com/wycats/handlebars.js/issues/1093) - #each skips iteration on undefined values ([@florianpilz](https://github.com/florianpilz)) - [#1092](https://github.com/wycats/handlebars.js/issues/1092) - Square braces in key name ([@distantnative](https://github.com/distantnative)) @@ -446,22 +518,26 @@ Compatibility notes: - [#1090](https://github.com/wycats/handlebars.js/pull/1090) - grammar fixes in 4.0.0 release notes ([@nikolas](https://github.com/nikolas)) Compatibility notes: + - `each` iteration with `undefined` values has been restored to the 3.0 behaviors. Helper calls with undefined context values will now execute against an arbitrary empty object to avoid executing against global object in non-strict mode. - `]` can now be included in `[]` wrapped identifiers by escaping with `\`. Any `[]` identifiers that include `\` will now have to properly escape these values. [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.2...v4.0.3) ## v4.0.2 - September 4th, 2015 + - [#1089](https://github.com/wycats/handlebars.js/issues/1089) - "Failover content" not working in multiple levels of inline partials ([@michaellopez](https://github.com/michaellopez)) [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.1...v4.0.2) ## v4.0.1 - September 2nd, 2015 + - Fix failure when using decorators in partials - 05b82a2 [Commits](https://github.com/wycats/handlebars.js/compare/v4.0.0...v4.0.1) ## v4.0.0 - September 1st, 2015 + - [#1082](https://github.com/wycats/handlebars.js/pull/1082) - Decorators and Inline Partials ([@kpdecker](https://github.com/kpdecker)) - [#1076](https://github.com/wycats/handlebars.js/pull/1076) - Implement partial blocks ([@kpdecker](https://github.com/kpdecker)) - [#1087](https://github.com/wycats/handlebars.js/pull/1087) - Fix #each when last object entry has empty key ([@denniskuczynski](https://github.com/denniskuczynski)) @@ -497,6 +573,7 @@ Compatibility notes: - Fix location information for programs - [93faffa](https://github.com/wycats/handlebars.js/commit/93faffa) Compatibility notes: + - Depthed paths are now conditionally pushed on to the stack. If the helper uses the same context, then a new stack is not created. This leads to behavior that better matches expectations for helpers like `if` that do not seem to alter the context. Any instances of `../` in templates will need to be checked for the correct behavior under 4.0.0. In general templates will either reduce the number of `../` instances or leave them as is. See [#1028](https://github.com/wycats/handlebars.js/issues/1028). - The `=` character is now HTML escaped. This closes a potential exploit case when using unquoted attributes, i.e. `