All Versions
73
Latest Version
Avg Release Cycle
24 days
Latest Release
125 days ago

Changelog History
Page 1

  • v4.7.7 Changes

    February 15, 2021
    • ๐Ÿ›  fix weird error in integration tests - eb860c0
    • ๐Ÿ›  fix: check prototype property access in strict-mode (#1736) - b6d3de7
    • ๐Ÿ›  fix: escape property names in compat mode (#1736) - f058970
    • โ™ป๏ธ refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
    • โœ… chore: start testing on Node.js 12 and 13 - 3789a30

    (POSSIBLY) BREAKING CHANGES:

    • ๐Ÿš€ the changes from version 4.6.0 now also apply in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

    That is why we only bump the patch version despite mentioning breaking changes.

    Commits

  • v4.7.6 Changes

    April 03, 2020

    Chore/Housekeeping:

    Compatibility notes:

    • โช Restored Node.js compatibility

    Commits

  • v4.7.5 Changes

    April 02, 2020

    Chore/Housekeeping:

    • โช ~Node.js version support has been changed to v6+~ Reverted in 4.7.6

    Compatibility notes:

    • โช ~Node.js < v6 is no longer supported~ Reverted in 4.7.6

    Commits

  • v4.7.4 Changes

    March 31, 2020

    Chore/Housekeeping:

    Compatibility notes:

    • No incompatibilities are to be expected

    Commits

  • v4.7.3 Changes

    February 05, 2020

    Chore/Housekeeping:

    • #1644 - Download links to aws broken on handlebarsjs.com - access denied (@Tea56)
    • ๐Ÿ›  Fix spelling and punctuation in changelog - d78cc73

    ๐Ÿ›  Bugfixes:

    • โž• Add Type Definition for Handlebars.VERSION, Fixes #1647 - 4de51fe
    • ๐Ÿ“ฆ Include Type Definition for runtime.js in Package - a32d05f

    Compatibility notes:

    • No incompatibilities are to be expected

    Commits

  • v4.7.2 Changes

    January 13, 2020

    ๐Ÿ›  Bugfixes:

    • ๐Ÿ›  fix: don't wrap helpers that are not functions - 9d5aa36, #1639

    ๐Ÿ— Chore/Build:

    • chore: execute saucelabs-task only if access-key exists - a4fd391

    Compatibility notes:

    • No breaking changes are to be expected

    Commits

  • v4.7.1 Changes

    January 12, 2020

    ๐Ÿ›  Bugfixes:

    • ๐Ÿ›  fix: fix log output in case of illegal property access - f152dfc
    • ๐Ÿ›  fix: log error for illegal property access only once per property - 3c1e252

    Compatibility notes:

    • no incompatibilities are to be expected.

    Commits

  • v4.7.0 Changes

    January 10, 2020

    ๐Ÿ”‹ Features:

    • 0๏ธโƒฃ feat: default options for controlling proto access - 7af1c12, #1635
      • This makes it possible to disable the prototype access restrictions added in 4.6.0
      • an error is logged in the console, if access to prototype properties is attempted and denied and no explicit configuration has taken place.

    Compatibility notes:

    • no compatibilities are expected

    Commits

  • v4.6.0 Changes

    January 08, 2020

    ๐Ÿ”‹ Features:

    • feat: access control to prototype properties via whitelist (#1633)- d03b6ec

    ๐Ÿ›  Bugfixes:

    • ๐Ÿ›  fix(runtime.js): partials compile not caching (#1600) - 23d58e7

    ๐Ÿ“„ Chores, docs:

    • โ™ป๏ธ various refactorings and improvements to tests - d7f0dcf, 187d611, d337f40
    • ๐Ÿ— modernize the build-setup
      • use prettier to format and eslint to verify - c40d9f3, 8901c28, e97685e, 1f61f21
      • use nyc instead of istanbul to collect coverage - 164b7ff, 1ebce2b
      • update build code to use modern javascript and make it cleaner - 14b621c, 1ec1737, 3a5b65e, dde108e, 04b1984, 587e7a3
      • restructur build commands - e913dc5,
    • ๐Ÿ‘• eslint rule changes - ac4655e, dc54952
    • โšก๏ธ Update (C) year in the LICENSE file - d1fb07b
    • chore: try to fix saucelabs credentials (#1627) -
    • โšก๏ธ Update readme.md with updated links (#1620) - edcc84f

    ๐Ÿ’ฅ BREAKING CHANGES:

    • 0๏ธโƒฃ access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

    That is why we only bump the minor version despite mentioning breaking changes.

    Commits

  • v4.5.3 Changes

    November 18, 2019

    ๐Ÿ›  Bugfixes:

    • ๐Ÿ›  fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7
    • ๐Ÿ›  fix: add more properties required to be enumerable - 1988878

    ๐Ÿ— Chores / Build:

    • ๐Ÿ›  fix: use !== 0 instead of != 0 - c02b05f
    • โž• add chai and dirty-chai and sinon, for cleaner test-assertions and spies, deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0

    ๐Ÿ”’ Security:

    • The properties __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ have been added to the list of "properties that must be enumerable". If a property by that name is found and not enumerable on its parent, it will silently evaluate to undefined. This is done in both the compiled template and the "lookup"-helper. This will prevent new Remote-Code-Execution exploits that have been published recently.

    Compatibility notes:

    • ๐Ÿ”’ Due to the security-fixes. The semantics of the templates using __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ in the respect that those expression now return undefined rather than their actual value from the proto.
    • The semantics have not changed in cases where the properties are enumerable, as in:
    {
      __proto__: 'some string'
    }
    
    • The change may be breaking in that respect, but we still only increase the patch-version, because the incompatible use-cases are not intended, undocumented and far less important than fixing Remote-Code-Execution exploits on existing systems.

    Commits