This repository has been archived by the owner on Jan 26, 2023. It is now read-only.
Update dependency mustache to v3 [SECURITY] #7
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~0.8.0
->~3.0.0
GitHub Vulnerability Alerts
CVE-2015-8862
mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
Release Notes
janl/mustache.js
v3.0.3
Compare Source
Added
Fixed
v3.0.2
Compare Source
Fixed
Dev
v3.0.1
Compare Source
v3.0.0
Compare Source
We are very happy to announce a new major version of mustache.js. We want to be very careful not to break projects
out in the wild, and adhering to Semantic Versioning we have therefore cut this new major version.
The changes introduced will likely not require any actions for most using projects. The things to look out for that
might cause unexpected rendering results are described in the migration guide below.
A big shout out and thanks to [@raymond-lam] for this release! Without his contributions with code and issue triaging,
this release would never have happened.
Major
Writer.prototype.parse
to cache by tags in addition to template string, by [@raymond-lam].Writer.prototype.parse
cache, by [@seminaoki].Minor
tags
parameter toMustache.render()
, by [@raymond-lam].Migrating from mustache.js v2.x to v3.x
Rendering properties of primitive types
We have ensured properties of primitive types can be rendered at all times. That means
Array.length
,String.length
and similar. A corner case where this could cause unexpected output follows:
View:
Template:
Output with v3.0:
Output with v2.x:
Caching for templates with custom delimiters
We have improved the templates cache to ensure custom delimiters are taken into consideration for the cache.
This improvement might cause unexpected rendering behaviour for using projects actively using the custom delimiters functionality.
Previously it was possible to use
Mustache.parse()
as a means to set global custom delimiters. If customdelimiters were provided as an argument, it would affect all following calls to
Mustache.render()
.Consider the following:
The above illustrates the fact that
Mustache.parse()
made mustache.js cache the template without consideringthe custom delimiters provided. This is no longer true.
We no longer encourage using
Mustache.parse()
for this purpose, but have rather added a fourth argument toMustache.render()
letting you provide custom delimiters when rendering.If you still need the pre-parse the template and use custom delimiters at the same time, ensure to provide
the custom delimiters as argument to
Mustache.render()
as well.v2.3.2
Compare Source
This release is made to revert changes introduced in [2.3.1] that caused unexpected behaviour for several users.
Minor
v2.3.1
Compare Source
Minor
Writer.prototype.parse
to cache by tags in addition to template string, by [@raymond-lam].Writer.prototype.parse
cache, by [@seminaoki].Dev
Rakefile
, by [@phillipj].Docs
Mustache.parse()
return type documentation, by [@bbrooks].v2.3.0
Compare Source
Minor
output
argument to mustache CLI, by [@wizawu].Dev
null
lookup when rendering an unescaped value, by [@dasilvacontin].Docs
Dependencies
v2.2.1
Compare Source
Fixes
v2.2.0
Compare Source
Added
Changed
Fixes
Dependencies
v2.1.3
Compare Source
Added
Changed
Fixed
v2.1.2
Compare Source
Added
v2.1.1
Compare Source
Added
Fixed
version
property from bower.json, by [@kkirsche].v2.1.0
Compare Source
v2.0.0
Compare Source
undefined
ornull
values, by [@dasilvacontin].v1.2.0
Compare Source
v1.1.0
Compare Source
v1.0.0
Compare Source
Renovate configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "
rebase!
".🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot. View repository job log here.