-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency handlebars to v4.7.7 [security] #1839
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
November 9, 2022 16:17
ba42a8f
to
42b1e4a
Compare
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Dec 17, 2022
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Dec 17, 2022
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
fix(deps): update dependency handlebars to v4.7.7 [security] - autoclosed
Feb 2, 2023
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security] - autoclosed
fix(deps): update dependency handlebars to v4.7.7 [security]
Feb 2, 2023
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
March 2, 2023 13:23
42b1e4a
to
c4d8244
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
March 10, 2023 07:31
c4d8244
to
206a4ed
Compare
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Jul 7, 2023
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Jul 10, 2023
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Oct 17, 2023
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Oct 18, 2023
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Nov 16, 2023
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Nov 16, 2023
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Dec 21, 2023
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Dec 21, 2023
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Dec 21, 2023
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Dec 29, 2023
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Mar 18, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Mar 19, 2024
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Mar 19, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Mar 19, 2024
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Mar 19, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Mar 20, 2024
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Mar 20, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Mar 21, 2024
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Mar 21, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Mar 21, 2024
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Mar 27, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Mar 27, 2024
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Mar 27, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Apr 2, 2024
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Apr 2, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Apr 4, 2024
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
April 10, 2024 11:10
206a4ed
to
1888bc0
Compare
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
fix(deps): update dependency handlebars to v4.3.0 [security]
Apr 10, 2024
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
April 21, 2024 09:07
f42d836
to
42b128d
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
2 times, most recently
from
April 29, 2024 08:04
d6495bd
to
4de686d
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
June 4, 2024 14:15
4de686d
to
9a96fe8
Compare
renovate
bot
force-pushed
the
renovate/npm-handlebars-vulnerability
branch
from
July 21, 2024 11:09
9a96fe8
to
c378d15
Compare
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.3.0 [security]
Update dependency handlebars to v4.3.0 [SECURITY]
Jul 25, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.3.0 [SECURITY]
Update dependency handlebars to v4.7.7 [SECURITY]
Aug 6, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Aug 26, 2024
renovate
bot
changed the title
fix(deps): update dependency handlebars to v4.7.7 [security]
Update dependency handlebars to v4.7.7 [SECURITY]
Aug 26, 2024
renovate
bot
changed the title
Update dependency handlebars to v4.7.7 [SECURITY]
fix(deps): update dependency handlebars to v4.7.7 [security]
Aug 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.2.0
->4.7.7
GitHub Vulnerability Alerts
GHSA-f52g-6jhx-586p
Affected versions of
handlebars
are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.Recommendation
Upgrade to version 4.4.5 or later.
GHSA-2cf5-4w76-r9qv
Versions of
handlebars
prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).The following template can be used to demonstrate the vulnerability:
Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
GHSA-g9r4-xpmj-mj65
Versions of
handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
GHSA-q2c6-c6pm-g3gh
Versions of
handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
CVE-2021-23369
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2019-20922
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
CVE-2019-20920
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
CVE-2021-23383
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Release Notes
handlebars-lang/handlebars.js (handlebars)
v4.7.7
Compare Source
eb860c0
b6d3de7
f058970
77825f8
3789a30
(POSSIBLY) BREAKING CHANGES:
in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods
can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties
from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.
That is why we only bump the patch version despite mentioning breaking changes.
Commits
v4.7.6
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.5
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.4
Compare Source
Chore/Housekeeping:
Compatibility notes:
Commits
v4.7.3
Compare Source
Chore/Housekeeping:
d78cc73
Bugfixes:
4de51fe
a32d05f
Compatibility notes:
Commits
v4.7.2
Compare Source
Bugfixes:
9d5aa36
, #1639Chore/Build:
a4fd391
Compatibility notes:
Commits
v4.7.1
Compare Source
Bugfixes:
f152dfc
3c1e252
Compatibility notes:
Commits
v4.7.0
Compare Source
Features:
7af1c12
, #1635and no explicit configuration has taken place.
Compatibility notes:
Commits
v4.6.0
Compare Source
Features:
d03b6ec
Bugfixes:
23d58e7
Chores, docs:
d7f0dcf
,187d611
,d337f40
c40d9f3
,8901c28
,e97685e
,1f61f21
164b7ff
,1ebce2b
14b621c
,1ec1737
,3a5b65e
,dde108e
,04b1984
,587e7a3
e913dc5
,ac4655e
,dc54952
d1fb07b
edcc84f
BREAKING CHANGES:
access to prototype properties is forbidden completely by default,
specific properties or methods can be allowed via runtime-options.
See #1633 for details.
If you are using Handlebars as documented, you should not be accessing prototype
properties from your template anyway, so the changes should not be a problem
for you. Only the use of undocumented features can break your build.
That is why we only bump the minor version despite mentioning breaking changes.
Commits
v4.5.3
Compare Source
Bugfixes:
f7f05d7
1988878
Chores / Build:
c02b05f
deprecate old assertion-methods -
93e284e
,886ba86
,0817dad
,93516a0
Security:
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
have been added to the list of "properties that must be enumerable".
If a property by that name is found and not enumerable on its parent,
it will silently evaluate to
undefined
. This is done in both the compiled template and the "lookup"-helper.This will prevent new Remote-Code-Execution exploits that have been
published recently.
Compatibility notes:
__proto__
,__defineGetter__
,__defineSetter__
and__lookupGetter__
in the respect that those expression now returnundefined
rather than their actual value from the proto.increase the patch-version, because the incompatible use-cases
are not intended, undocumented and far less important than fixing
Remote-Code-Execution exploits on existing systems.
Commits
v4.5.2
Compare Source
v4.5.1
Compare Source
Bugfixs
5e9d17f
(#1589)Compatibility notes:
Commits
v4.5.0
Compare Source
Features / Improvements
62ed3c2
feb60f8
Bugfixes:
7fcf9d2
Chore:
7052e88
088e618
Compatibility notes:
Commits
v4.4.5
Compare Source
Bugfixes:
8d5530e
, #1579Commits
v4.4.4
Compare Source
Bugfixes:
f1752fe
Chore:
0b593bf
Compatibility notes:
Commits
v4.4.3
Compare Source
Bugfixes
Typings:
0440af2
Commits
v4.4.2
Compare Source
b7eada0
Commits
v4.4.1
Compare Source
Commits
v4.4.0
Compare Source
cf7545e
Commits
v4.3.5
Compare Source
Commits
v4.3.4
Compare Source
ff4d827
Compatibility notes:
Commits
v4.3.3
Compare Source
8742bde
Commits
v4.3.2
Compare Source
213c0bb
, #1563Compatibility notes:
Commits
v4.3.1
Compare Source
Fixes:
1266838
, #156193444c5
,64ecb9e
, #1560Commits
v4.3.0
Compare Source
Fixes:
2078c72
2078c72
Features:
allowCallsToHelperMissing
to allow callingblockHelperMissing
andhelperMissing
.Breaking changes:
Compatibility notes:
Compiler revision increased -
06b7224
The increase was done because the "helperMissing" and "blockHelperMissing" are now moved from the helpers
to the internal "container.hooks" object, so old templates will not be able to call them anymore. We suggest
that you always recompile your templates with the latest compiler in your build pipelines.
Disallow calling "helperMissing" and "blockHelperMissing" directly -
2078c72
{{blockHelperMissing}}
wasnever intended and was part of the exploits that have been revealed early in 20https://github.com/handlebars-lang/handlebars.js/issues/1495s.js/issues/1495). It is also part of a new exploit that
is not captured by the earlier fix. In order to harden Handlebars against such exploits, calling thos helpers
is now not possible anymore. Overriding those helpers is still possible.
allowCallsToHelperMissing
totrue
and thecalls will again be possible
Both bullet points imly that Handlebars is not 100% percent compatible to 4.2.0, despite the minor version bump.
We consider it more important to resolve a major security issue than to maintain 100% compatibility.
Commits
v4.2.2
Compare Source
Commits
v4.2.1
Compare Source
Bugfixes:
c55a7be
, #1553Compatibility notes:
Commits
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.