All Versions
74
Latest Version
Avg Release Cycle
24 days
Latest Release
843 days ago

Changelog History
Page 4

  • v4.1.1 Changes

    March 16, 2019

    ๐Ÿ›  Bugfixes:

    • ๐Ÿ›  fix: add "runtime.d.ts" to allow "require('handlebars/runtime')" in TypeScript - 5cedd62

    ๐Ÿ”จ Refactorings:

    • replace "async" with "neo-async" - 048f2ce
    • ๐Ÿ‘‰ use "substring"-function instead of "substr" - 445ae12

    Compatibility notes:

    • ๐Ÿ›  This is a bugfix release. There are no breaking change and no new features.

    Commits

  • v4.1.0 Changes

    February 07, 2019

    ๐Ÿ†• New Features

    • import TypeScript typings - 27ac1ee

    ๐Ÿ”’ Security fixes:

    • disallow access to the constructor in templates to prevent RCE - 42841c4, #1495

    Housekeeping

    • ๐Ÿš€ chore: fix components/handlebars package.json and auto-update on release - bacd473
    • ๐Ÿ— chore: Use node 10 to build handlebars - 78dd89c
    • ๐Ÿš€ chore/doc: Add more release docs - 6b87c21

    Compatibility notes:

    Access to class constructors (i.e. ({}).constructor) is now prohibited to prevent Remote Code Execution. This means that following construct will no work anymore:

    class SomeClass {
    }
    
    SomeClass.staticProperty = 'static'
    
    var template = Handlebars.compile('{{constructor.staticProperty}}');
    document.getElementById('output').innerHTML = template(new SomeClass());
    // expected: 'static', but now this is empty.
    

    This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).

    Commits

  • v4.0.14

    April 13, 2019
  • v4.0.13 Changes

    February 07, 2019

    2019-02-02

  • v4.0.13-beta.0

    February 02, 2019
  • v4.0.13-0

    February 02, 2019
  • v4.0.12 Changes

    September 04, 2018

    ๐Ÿ†• New features:

    • none

    โšก๏ธ Various dependency updates

    • ๐Ÿ”Œ #1464 - Bump versions of grunt-plugins to 1.x
    • โšก๏ธ #1398 - Chore: updated various dev dependencies
    • โฌ†๏ธ upgrade uglify-js - d3d3942
    • โšก๏ธ Update grunt-eslint to 20.1.0 - 7729aa9
    • โšก๏ธ Update dependencies "async" to 2.5.0 and "source-map" to 0.6.1 (73d5637)

    ๐Ÿ›  Bugfixes:

    โœ‚ Removed obsolete code:

    • unnecessary check - 0ddff8b
    • ๐Ÿ‘‰ Use files field - 69c6ca5
    • โšก๏ธ Update jsfiddle to 4.0.11 - 8947dd0

    Compatibility notes:

    • No compatibility issues are to be expected

    Commits

  • v4.0.11 Changes

    October 17, 2017
    • #1391 - uglify-js is unconditionally imported, but only listed as optional dependency (@Turbo87)
    • ๐Ÿ #1233 - Unable to build under windows - error at test:bin task (@blikblum)
    • โšก๏ธ Update (C) year in the LICENSE file - 21386b6

    Compatibility notes:

    • ๐Ÿ›  This is a bugfix release. There are no breaking change and no new features.

    Commits

  • v4.0.10 Changes

    May 21, 2017
    • ๐Ÿ›  Fix regression in 4.0.9: Replace "Object.assign" (not support in IE) by "util/extend" - 0e953d1

    Commits

  • v4.0.9 Changes

    May 21, 2017
    • #1327 Handlebars.compile() does not modify "options" anymore
    • ๐Ÿ pending #1331 Attempts to build Handlebars in a Windows environment
      • Fix build in windows - cc554a5
      • Ensure LF line-edings in handlebars-template fixtures (*.hbs) - ed879a6
      • Run integration test with node handlebars -a ... on Windows - 2e21e2b
      • Ensure LF line-edings in lexer-files (*.l) - bdfdbea
      • Force LF line-endings for spec/artifacts - b50ef03
      • Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - 6e6269f
    • TravisCI: Publish valid semver tags independently of the branch - 7378f85

    Compatibility notes:

    • No compatibility issues are expected.

    Commits