[Security] Bump handlebars from 4.1.2 to 4.5.3

[dependabot-preview]

Bumps handlebars from 4.1.2 to 4.5.3. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects handlebars Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Affected versions: < 4.3.0

Changelog

Sourced from handlebars's changelog.

v4.5.3 - November 18th, 2019

Bugfixes:

• fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7
• fix: add more properties required to be enumerable - 1988878

Chores / Build:

• fix: use !== 0 instead of != 0 - c02b05f
• add chai and dirty-chai and sinon, for cleaner test-assertions and spies, deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0

Security:

• The properties __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ have been added to the list of "properties that must be enumerable". If a property by that name is found and not enumerable on its parent, it will silently evaluate to undefined. This is done in both the compiled template and the "lookup"-helper. This will prevent new Remote-Code-Execution exploits that have been published recently.

Compatibility notes:

• Due to the security-fixes. The semantics of the templates using __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ in the respect that those expression now return undefined rather than their actual value from the proto.
• The semantics have not changed in cases where the properties are enumerable, as in:

{
  __proto__: 'some string'
}

• The change may be breaking in that respect, but we still only increase the patch-version, because the incompatible use-cases are not intended, undocumented and far less important than fixing Remote-Code-Execution exploits on existing systems.

Commits

v4.5.2 - November 13th, 2019

Bugfixes

• fix: use String(field) in lookup when checking for "constructor" - d541378
• test: add fluent API for testing Handlebars - c2ac79c

Compatibility notes:

• no incompatibility are to be expected

... (truncated)

Commits

• c819c8b v4.5.3
• 827c9d0 Update release notes
• f7f05d7 fix: add "no-prototype-builtins" eslint-rule and fix all occurences
• 1988878 fix: add more properties required to be enumerable
• 886ba86 test/chore: add chai/expect and sinon to "runtime"-environment
• 0817dad test: add sinon as global variable to eslint in the specs
• 93516a0 test: add sinon.js for spies, deprecate current assertions
• 93e284e chore: add chai and dirty-chai for better test assertions
• c02b05f fix: use !== 0 instead of != 0
• 8de121d v4.5.2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @eps1lon.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

• Update frequency
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[eps1lon]

@dependabot squash and merge

[mui-pr-bot]

No bundle size changes comparing fec696d...29c2a67

Generated by 🚫 dangerJS against 29c2a67

[dependabot-preview]

One of your CI runs failed on this pull request, so Dependabot won't merge it.

• ci/circleci: test_browser-1

Dependabot will still automatically merge this pull request if you amend it and your tests pass.