Skip to content

Commit

Permalink
Update release notes
Browse files Browse the repository at this point in the history
  • Loading branch information
nknapp committed Feb 23, 2020
1 parent 156061e commit 90ad8d9
Showing 1 changed file with 24 additions and 1 deletion.
25 changes: 24 additions & 1 deletion release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,30 @@

## Development

[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.7...master)
[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.8...master)

## v3.0.8 - February 23rd, 2020
Bugfixes:
- backport some (but not all) of the security fixes from 4.x - 156061e

Compatibility notes:
- The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__`
have been added to the list of "dangerous properties". If a property
by that name is found and not an own-property of its parent, it will silently evaluate to undefined.
This is done in both the compiled template and the "lookup"-helper. This will prevent
Remote-Code-Execution exploits that have been published in npm advisories [1324](https://www.npmjs.com/advisories/1324)
and [1316](https://www.npmjs.com/advisories/1316).
- The check for dangerous properties has been changed from "propertyIsEnumerable" to "hasOwnProperty", as it is now done
in Handlebars 4.6.0 and later.

Security issues resolved:
- [npm advisory 1324](https://www.npmjs.com/advisories/1324)
- [npm advisory 1316](https://www.npmjs.com/advisories/1316)
- [npm advisory 1325](https://www.npmjs.com/advisories/1325)
- [npm advisory 1164](https://www.npmjs.com/advisories/1164)


[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.7...v3.0.8)

## v3.0.7 - June 30th, 2019
Security fixes:
Expand Down

0 comments on commit 90ad8d9

Please sign in to comment.