handlebars.js v4.2.0 Release Notes

Release Date: 2019-09-03 // 19 days ago
  • ✅ Chore/Test:

    • 👉 Use custom grunt-saucelab with current sauce-connect proxy - f119497
    • ➕ Add framework for various integration tests - f9cce4d
    • ➕ Add integration test for webpack - a57b682

    🛠 Bugfixes:

    🔋 Features:

    • 📦 #1540 - added "browser"-property to package.json, resolves #1102 (@ouijan)

    Compatibility notes:

    • ✅ The new "browser"-property should not break anything, but you can never be sure. The integration test for webpack shows that it works, but if it doesn't please open an issue.

    Commits


Previous changes from v4.1.2

  • ✅ Chore/Test:

    • 👕 #1515 - Port over linting and test for typings (@zimmi88)
    • 🔒 chore: add missing typescript dependency, add package-lock.json - 594f1e3
    • 🚚 test: remove safari from saucelabs - 871accc

    🛠 Bugfixes:

    • 🛠 fix: prevent RCE through the "lookup"-helper - cd38583

    Compatibility notes:

    Access to the constructor of a class thought {{lookup obj "constructor" }} is now prohibited. This closes a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.

    This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).

    Commits