Update dependency mustache to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
mustache	dependencies	major	~0.8.0 -> ~3.0.0

GitHub Vulnerability Alerts

CVE-2015-8862

mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.

---

Release Notes

janl/mustache.js

v3.0.3

Compare Source

Added

• [#​713]: Add test cases for custom functions in partials, by [@​wol-soft].

Fixed

• [#​714]: Bugfix for wrong function output in partials with indentation, by [@​phillipj].

v3.0.2

Compare Source

Fixed

• [#​705]: Fix indentation of partials, by [@​kevindew] and [@​yotammadem].

Dev

• [#​701]: Fix test failure for Node 10 and above, by [@​andersk].
• [#​704]: Lint all test files just like the source files, by [@​phillipj].
• Start experimenting & comparing GitHub Actions vs Travis CI, by [@​phillipj].

v3.0.1

Compare Source

• [#​679]: Fix partials not rendering tokens when using custom tags, by [@​stackchain].

v3.0.0

Compare Source

We are very happy to announce a new major version of mustache.js. We want to be very careful not to break projects
out in the wild, and adhering to Semantic Versioning we have therefore cut this new major version.

The changes introduced will likely not require any actions for most using projects. The things to look out for that
might cause unexpected rendering results are described in the migration guide below.

A big shout out and thanks to [@​raymond-lam] for this release! Without his contributions with code and issue triaging,
this release would never have happened.

Major

• [#​618]: Allow rendering properties of primitive types that are not objects, by [@​raymond-lam].
• [#​643]: Writer.prototype.parse to cache by tags in addition to template string, by [@​raymond-lam].
• [#​664]: Fix Writer.prototype.parse cache, by [@​seminaoki].

Minor

• [#​673]: Add tags parameter to Mustache.render(), by [@​raymond-lam].

Migrating from mustache.js v2.x to v3.x

Rendering properties of primitive types

We have ensured properties of primitive types can be rendered at all times. That means Array.length, String.length
and similar. A corner case where this could cause unexpected output follows:

View:

{
  stooges: [
    { name: "Moe" },
    { name: "Larry" },
    { name: "Curly" }
  ]
}

Template:

{{#stooges}}
  {{name}}: {{name.length}} characters
{{/stooges}}

Output with v3.0:

  Moe: 3 characters
  Larry: 5 characters
  Curly: 5 characters

Output with v2.x:

  Moe:  characters
  Larry:  characters
  Curly:  characters

Caching for templates with custom delimiters

We have improved the templates cache to ensure custom delimiters are taken into consideration for the cache.
This improvement might cause unexpected rendering behaviour for using projects actively using the custom delimiters functionality.

Previously it was possible to use Mustache.parse() as a means to set global custom delimiters. If custom
delimiters were provided as an argument, it would affect all following calls to Mustache.render().
Consider the following:

const template = "[[item.title]] [[item.value]]";
mustache.parse(template, ["[[", "]]"]);

console.log(
  mustache.render(template, {
    item: {
      title: "TEST",
      value: 1
    }
  })
);

>> TEST 1

The above illustrates the fact that Mustache.parse() made mustache.js cache the template without considering
the custom delimiters provided. This is no longer true.

We no longer encourage using Mustache.parse() for this purpose, but have rather added a fourth argument to
Mustache.render() letting you provide custom delimiters when rendering.

If you still need the pre-parse the template and use custom delimiters at the same time, ensure to provide
the custom delimiters as argument to Mustache.render() as well.

v2.3.2

Compare Source

This release is made to revert changes introduced in [2.3.1] that caused unexpected behaviour for several users.

Minor

• [#​670]: Rollback template cache causing unexpected behaviour, by [@​raymond-lam].

v2.3.1

Compare Source

Minor

• [#​643]: Writer.prototype.parse to cache by tags in addition to template string, by [@​raymond-lam].
• [#​664]: Fix Writer.prototype.parse cache, by [@​seminaoki].

Dev

• [#​666]: Install release tools with npm rather than pre-commit hook & Rakefile, by [@​phillipj].
• [#​667], [#​668]: Stabilize browser test suite, by [@​phillipj].

Docs

• [#​644]: Document global Mustache.escape overriding capacity, by [@​paultopia].
• [#​657]: Correct Mustache.parse() return type documentation, by [@​bbrooks].

v2.3.0

Compare Source

Minor

• [#​540]: Add optional output argument to mustache CLI, by [@​wizawu].
• [#​597]: Add compatibility with amdclean, by [@​mightyplow].

Dev

• [#​553]: Assert null lookup when rendering an unescaped value, by [@​dasilvacontin].
• [#​580], [#​610]: Ignore eslint for greenkeeper updates, by [@​phillipj].
• [#​560]: Fix CLI tests for Windows, by [@​kookookchoozeus].
• Run browser tests w/node v4, by [@​phillipj].

Docs

• [#​542]: Add API documentation to README, by [@​tomekwi].
• [#​546]: Add missing syntax highlighting to README code blocks, by [@​pra85].
• [#​569]: Update Ctemplate links in README, by [@​mortonfox].
• [#​592]: Change "loadUser" to "loadUser()" in README, by [@​Flaque].
• [#​593]: Adding doctype to HTML code example in README, by [@​calvinf].

Dependencies

• eslint -> 2.2.0. Breaking changes fix by [@​phillipj]. [#​548]
• eslint -> 2.5.1.
• mocha -> 3.0.2.
• zuul -> 3.11.0.

v2.2.1

Compare Source

Fixes

• Improve HTML escaping, by [@​phillipj].
• Fix inconsistency in defining global mustache object, by [@​simast].
• Fix switch-case indent error, by [@​norfish].
• Unpin chai and eslint versions, by [@​dasilvacontin].
• Update README.md with proper grammar, by [@​EvanLovely].
• Update mjackson username in README, by [@​mjackson].
• Remove syntax highlighting in README code sample, by [@​imagentleman].
• Fix typo in README, by [@​Xcrucifier].
• Fix link typo in README, by [@​keirog].

v2.2.0

Compare Source

Added

• Add Partials support to CLI, by [@​palkan].

Changed

• Move install instructions to README's top, by [@​mateusortiz]
• Improved devhook install output, by [@​ShashankaNataraj].
• Clarifies and improves language in documentation, by [@​jfmercer].
• Linting CLI tool, by [@​phillipj].
• npm 2.x and node v4 on Travis, by [@​phillipj].

Fixes

• Fix README spelling error to "aforementioned", by [@​djchie].
• Equal error message test in .render() for server and browser, by [@​phillipj].

Dependencies

• chai -> 3.3.0
• eslint -> 1.6.0

v2.1.3

Compare Source

Added

• Throw error when providing .render() with invalid template type, by [@​phillipj].
• Documents use of string literals containing double quotes, by [@​jfmercer].

Changed

• Move mustache gif to githubusercontent, by [@​Andersos].

Fixed

• Update UMD Shim to be resilient to HTMLElement global pollution, by [@​mikesherov].

v2.1.2

Compare Source

Added

• Mustache global definition ([#​466]) by [@​yousefcisco].

v2.1.1

Compare Source

Added

• State that we use semver on the change log, by [@​dasilvacontin].
• Added version links to change log, by [@​dasilvacontin].

Fixed

• Bugfix for using values from view's context prototype, by [@​phillipj].
• Improve test with undefined/null lookup hit using dot notation, by [@​dasilvacontin].
• Bugfix for null/undefined lookup hit when using dot notation, by [@​phillipj].
• Remove moot version property from bower.json, by [@​kkirsche].
• bower.json doesn't require a version bump via hook, by [@​dasilvacontin].

v2.1.0

Compare Source

• Added license attribute to package.json, by [@​pgilad].
• Minor changes to make mustache.js compatible with both WSH and ASP, by [@​nagaozen].
• Improve CLI view parsing error, by [@​phillipj].
• Bugfix for view context cache, by [@​phillipj].

v2.0.0

Compare Source

• Fixed lookup not stopping upon finding undefined or null values, by [@​dasilvacontin].
• Refactored pre-commit hook, by [@​dasilvacontin].

v1.2.0

Compare Source

• Added -v option to CLI, by [@​phillipj].
• Bugfix for rendering Number when it serves as the Context, by [@​phillipj].
• Specified files in package.json for a cleaner install, by [@​phillipj].

v1.1.0

Compare Source

• Refactor Writer.renderTokens() for better readability, by [@​phillipj].
• Cleanup tests section in readme, by [@​phillipj].
• Added JSHint to tests/CI, by [@​phillipj].
• Added node v0.12 on travis, by [@​phillipj].
• Created command line tool, by [@​phillipj].
• Added falsy to Inverted Sections description in README, by [@​kristijanmatic].

v1.0.0

Compare Source

• Inline tag compilation, by [@​mjackson].
  • Fixed AMD registration, volo package.json entry, by [@​jrburke].
  • Added spm support, by [@​afc163].
  • Only access properties of objects on Context.lookup, by [@​cmbuckley].

---

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot. View repository job log here.