Update release notes

This commit is contained in:
Nils Knappmeier
2020-02-23 11:01:33 +01:00
parent 156061eb77
commit 90ad8d97ad
+24 -1
View File
@@ -2,7 +2,30 @@
## Development
[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.7...master)
[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.8...master)
## v3.0.8 - February 23rd, 2020
Bugfixes:
- backport some (but not all) of the security fixes from 4.x - 156061e
Compatibility notes:
- The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__`
have been added to the list of "dangerous properties". If a property
by that name is found and not an own-property of its parent, it will silently evaluate to undefined.
This is done in both the compiled template and the "lookup"-helper. This will prevent
Remote-Code-Execution exploits that have been published in npm advisories [1324](https://www.npmjs.com/advisories/1324)
and [1316](https://www.npmjs.com/advisories/1316).
- The check for dangerous properties has been changed from "propertyIsEnumerable" to "hasOwnProperty", as it is now done
in Handlebars 4.6.0 and later.
Security issues resolved:
- [npm advisory 1324](https://www.npmjs.com/advisories/1324)
- [npm advisory 1316](https://www.npmjs.com/advisories/1316)
- [npm advisory 1325](https://www.npmjs.com/advisories/1325)
- [npm advisory 1164](https://www.npmjs.com/advisories/1164)
[Commits](https://github.com/wycats/handlebars.js/compare/v3.0.7...v3.0.8)
## v3.0.7 - June 30th, 2019
Security fixes: