Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update handlebars@4.5.1 #184

Closed
wants to merge 4 commits into from
Closed

update handlebars@4.5.1 #184

wants to merge 4 commits into from

Conversation

ChrisSchreiber
Copy link

fix security advisory
see https://www.npmjs.com/advisories/1300

dougwilson
dougwilson suggested changes Nov 4, 2019
View reviewed changes
Copy link
Contributor

@dougwilson dougwilson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ugh, these security issues with handlebars are endless :) please update the HISTORY.md file with what the changes are between the current handlebars and this update.

@ChrisSchreiber
Copy link
Author

It looks like 4.4.5 also fixes the security vulnerability. Would a smaller version jump be preferred?

@dougwilson
Copy link
Contributor

It would only really make a difference if perhaps that would mean we could make a patch release here to reach more people than a minor release. But if either one requires a minor bump of this module it probably makes no difference.

dougwilson
dougwilson reviewed Nov 5, 2019
View reviewed changes
@dougwilson dougwilson mentioned this pull request Nov 5, 2019
Closed
@mccreeper98
Copy link

something new ???

dougwilson
dougwilson suggested changes Nov 7, 2019
View reviewed changes
HISTORY.md
@@ -1,3 +1,16 @@
4.1.0 / 2019-11-04
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should just be the word "unreleased" and have the ===== separator below it. The version number and date will get populated on publish.

HISTORY.md

* deps: handlebars@4.5.1
- Add method Handlebars.parseWithoutProcessing
- Add guard to if & unless helpers
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear what this would mean to users of hbs. Is this just an internal change to handebars that users cannot see? If so, you don't need to list it, if not, please expand on what the change means

package.json
@@ -1,7 +1,7 @@
{
"name": "hbs",
"description": "Express.js template engine plugin for Handlebars",
"version": "4.0.6",
"version": "4.1.0",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't actually bump the version in the PR; the release process npm version minor will do the bump and tagging.

HISTORY.md
- Bugfix: Contents of raw-blocks must be matched with non-eager regex-matching
- Bugfix: prevent zero length tokens in raw-blocks
- Add missing type fields to AST typings
- Error message for syntax error missing location in 4.2.1+
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This module never let this bug through, as we worked around the issue until handbars fixed it. So probably not a change users would see fixed in the upgrade from hbs 4.0.6

HISTORY.md
- Bugfix: Use objects for hash value tracking
- Bugfix: Contents of raw-blocks must be matched with non-eager regex-matching
- Bugfix: prevent zero length tokens in raw-blocks
- Add missing type fields to AST typings
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what this means, can you elaborate?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dougwilson dougwilson dougwilson requested changes

Assignees
No one assigned
Labels
deps pr
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ChrisSchreiber @dougwilson @mccreeper98