chore(deps): update dependency handlebars to v4.7.7 [security] - abandoned #186
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.1.2
->4.7.7
GitHub Vulnerability Alerts
CVE-2019-19919
Versions of
handlebars
prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects'__proto__
and__defineGetter__
properties, which may allow an attacker to execute arbitrary code through crafted payloads.Recommendation
Upgrade to version 3.0.8, 4.3.0 or later.
GHSA-f52g-6jhx-586p
Affected versions of
handlebars
are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.Recommendation
Upgrade to version 4.4.5 or later.
GHSA-2cf5-4w76-r9qv
Versions of
handlebars
prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).The following template can be used to demonstrate the vulnerability:
Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
GHSA-g9r4-xpmj-mj65
Versions of
handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
GHSA-q2c6-c6pm-g3gh
Versions of
handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
CVE-2021-23369
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2019-20922
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
CVE-2019-20920
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
CVE-2021-23383
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Release Notes
wycats/handlebars.js
v4.7.7
Compare Source
eb860c0
b6d3de7
f058970
77825f8
3789a30
(POSSIBLY) BREAKING CHANGES:
in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods
can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties
from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.
That is why we only bump the patch version despite mentioning breaking changes.
Commits
v4.7.6
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.5
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.4
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.3
Compare Source
Chore/Housekeeping:
d78cc73
Bugfixes:
4de51fe
a32d05f
Compatibility notes:
Commits
v4.7.2
Compare Source
Bugfixes:
9d5aa36
, #1639Chore/Build:
a4fd391
Compatibility notes:
Commits
v4.7.1
Compare Source
Bugfixes:
f152dfc
3c1e252
Compatibility notes:
Commits
v4.7.0
Compare Source
Features:
7af1c12
, #1635and no explicit configuration has taken place.
Compatibility notes:
Commits
v4.6.0
Compare Source
Features:
d03b6ec
Bugfixes:
23d58e7
Chores, docs:
d7f0dcf
,187d611
,d337f40
c40d9f3
,8901c28
,e97685e
,1f61f21
164b7ff
,1ebce2b
14b621c
,1ec1737
,3a5b65e
,dde108e
,04b1984
,587e7a3
e913dc5
,ac4655e
,dc54952
d1fb07b
edcc84f
BREAKING CHANGES:
access to prototype properties is forbidden completely by default,
specific properties or methods can be allowed via runtime-options.
See #1633 for details.
If you are using Handlebars as documented, you should not be accessing prototype
properties from your template anyway, so the changes should not be a problem
for you. Only the use of undocumented features can break your build.
That is why we only bump the minor version despite mentioning breaking changes.
Commits
v4.5.3
Compare Source
Bugfixes:
f7f05d7
1988878
Chores / Build:
c02b05f
deprecate old assertion-methods -
93e284e
,886ba86
,0817dad
,93516a0
Security:
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
have been added to the list of "properties that must be enumerable".
If a property by that name is found and not enumerable on its parent,
it will silently evaluate to
undefined
. This is done in both the compiled template and the "lookup"-helper.This will prevent new Remote-Code-Execution exploits that have been
published recently.
Compatibility notes:
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
in the respect that those expression now returnundefined
rather than their actual value from the proto.increase the patch-version, because the incompatible use-cases
are not intended, undocumented and far less important than fixing
Remote-Code-Execution exploits on existing systems.
Commits
v4.5.2
Compare Source
v4.5.1
Compare Source
Bugfixs
5e9d17f
(#1589)Compatibility notes:
Commits
v4.5.0
Compare Source
Features / Improvements
62ed3c2
feb60f8
Bugfixes:
7fcf9d2
Chore:
7052e88
088e618
Compatibility notes:
Commits
v4.4.5
Compare Source
Bugfixes:
8d5530e
, #1579Commits
v4.4.4
Compare Source
Bugfixes:
f1752fe
Chore:
0b593bf
Compatibility notes:
Commits
v4.4.3
Compare Source
Bugfixes
Typings:
0440af2
Commits
v4.4.2
Compare Source
b7eada0
Commits
v4.4.1
Compare Source
Commits
v4.4.0
Compare Source
cf7545e
Commits
v4.3.5
Compare Source
Commits
v4.3.4
Compare Source
ff4d827
Compatibility notes:
Commits
v4.3.3
Compare Source
8742bde
Commits
v4.3.2
Compare Source
213c0bb
, #1563Compatibility notes:
Commits
v4.3.1
Compare Source
Fixes:
1266838
, #156193444c5
,64ecb9e
, #1560Commits
v4.3.0
Compare Source
Fixes:
2078c72
2078c72
Features:
allowCallsToHelperMissing
to allow callingblockHelperMissing
andhelperMissing
.Breaking changes:
Compatibility notes:
Compiler revision increased -
06b7224
The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers
to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest
that you always recompile your templates with the latest compiler in your build pipelines.
Disallow calling "helperMissing" and "blockHelperMissing" directly -
2078c72
{{blockHelperMissing}}
wasnever intended and was part of the exploits that have been revealed early in 20https://github.com/handlebars-lang/handlebars.js/issues/1495s.js/issues/1495). It is also part of a new exploit that
is not captured by the earlier fix. In order to harden Handlebars against such exploits, calling thos helpers
is now not possible anymore. Overriding those helpers is still possible.
allowCallsToHelperMissing
totrue
and thecalls will again be possible
Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, despite the minor version bump.
We consider it more important to resolve a major security issue than to maintain 100% compatibility.
Commits
v4.2.2
Compare Source
Commits
v4.2.1
Compare Source
Bugfixes:
c55a7be
, #1553Compatibility notes:
Commits
v4.2.0
Compare Source
Chore/Test:
grunt-saucelab
with current sauce-connect proxy -f119497
f9cce4d
a57b682
Bugfixes:
knownHelpers
doesnt allow for custom helpers (@NickCis)Features:
Compatibility notes:
shows that it works, but if it doesn't please open an issue.
Commits
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.