ยซ Changelog History


handlebars.js v4.5.3 Release Notes

Release Date: 2019-11-18 // over 4 years ago

  • ๐Ÿ›  Bugfixes:

    • ๐Ÿ›  fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7
    • ๐Ÿ›  fix: add more properties required to be enumerable - 1988878

    ๐Ÿ— Chores / Build:

    • ๐Ÿ›  fix: use !== 0 instead of != 0 - c02b05f
    • โž• add chai and dirty-chai and sinon, for cleaner test-assertions and spies, deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0

    ๐Ÿ”’ Security:

    • The properties __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ have been added to the list of "properties that must be enumerable". If a property by that name is found and not enumerable on its parent, it will silently evaluate to undefined. This is done in both the compiled template and the "lookup"-helper. This will prevent new Remote-Code-Execution exploits that have been published recently.

    Compatibility notes:

    • ๐Ÿ”’ Due to the security-fixes. The semantics of the templates using __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ in the respect that those expression now return undefined rather than their actual value from the proto.
    • The semantics have not changed in cases where the properties are enumerable, as in:
    {
  __proto__: 'some string'
}
    • The change may be breaking in that respect, but we still only increase the patch-version, because the incompatible use-cases are not intended, undocumented and far less important than fixing Remote-Code-Execution exploits on existing systems.

    Commits