ยซ Changelog History


handlebars.js v4.1.2 Release Notes

Release Date: 2019-04-13 // about 5 years ago

  • โœ… Chore/Test:

    • ๐Ÿ‘• #1515 - Port over linting and test for typings (@zimmi88)
    • ๐Ÿ”’ chore: add missing typescript dependency, add package-lock.json - 594f1e3
    • ๐Ÿšš test: remove safari from saucelabs - 871accc

    ๐Ÿ›  Bugfixes:

    • ๐Ÿ›  fix: prevent RCE through the "lookup"-helper - cd38583

    Compatibility notes:

    Access to the constructor of a class thought {{lookup obj "constructor" }} is now prohibited. This closes a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.

    This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).

    Commits