Skip to content

Latest commit

 

History

History
482 lines (371 loc) · 33.4 KB

release-notes.md

File metadata and controls

482 lines (371 loc) · 33.4 KB

Release Notes

Development

Commits

v3.0.8 - February 23rd, 2020

Bugfixes:

  • backport some (but not all) of the security fixes from 4.x - 156061e

Compatibility notes:

  • The properties __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ have been added to the list of "dangerous properties". If a property by that name is found and not an own-property of its parent, it will silently evaluate to undefined. This is done in both the compiled template and the "lookup"-helper. This will prevent Remote-Code-Execution exploits that have been published in npm advisories 1324 and 1316.
  • The check for dangerous properties has been changed from "propertyIsEnumerable" to "hasOwnProperty", as it is now done in Handlebars 4.6.0 and later.

Security issues resolved:

Commits

v3.0.7 - June 30th, 2019

Security fixes:

Housekeeping

  • disable saucelabs-tests since the tunnel is not working - 95f33b1
  • update grunt-saucelabs and aws dependency - 09aaa56
  • fix package.json of components/handlebars.js repo - 7cf753b
  • Fix Travis by updating git tag retrieval - 7c3944015d30a4348ae66ec1736b752cd864d5c1
  • Use istanbul/lib/cli.js instead of node_modules/.bin/istanbul - 7820b207e123babd0bda0b4871790f2ea6b36b01

Tests:

  • test: run appveyor tests in Node 10 - 420ac171a01b8777ebce0a777221754fcc72a5a8
  • Fix build on Windows - 47adcda48530ab1504b8019fe17eaedd4f4c943f

Compatibility notes:

Access to class constructors (i.e. ({}).constructor) is now prohibited to prevent Remote Code Execution. This means that following construct will no work anymore:

class SomeClass {
}

SomeClass.staticProperty = 'static'

var template = Handlebars.compile('{{constructor.staticProperty}}');
document.getElementById('output').innerHTML = template(new SomeClass());
// expected: 'static', but now this is empty.

This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).

Commits

v3.0.6 - January 2nd, 2019

Chore:

  • prevent tagging 3.x versions as "latest" in npm - df403ed, #1486
  • ignore idea config - af919d2
  • fix travis build - 9283205
  • update components/handlebars package.json on release - 9679fe6
  • add active NodeJS versions to travis - d207ad0

Fix:

  • No longer escape "=" in HTML content - 6e9dbac, #1489
  • gracefully handle read-only "column"-property of the Error class (required in Safari 9+) - 725986d

Compatibility notes:

  • Compatibility to 3.0.5 is broken due to reverting to not escaping "=" in HTML, but compatibility to 3.0.3 is restored.

Commits

v3.0.5 - December 15th, 2018

  • chore: use node 10.x in travis-build - 4ed0a62

Compatibility notes:

  • no breaking changes

Commits

v3.0.4 - December 15th, 2018

  • Further relax uglify dependency - 4cd5305
  • Update uglify-js to avoid vulnerability - d97c2e6
  • Escape = in HTML content - 1c863e3

Compatibility notes:

  • No breaking changes

Commits

v3.0.3 - April 28th, 2015

  • #1004 - Latest version breaks with RequireJS (global is undefined) (@boskee)

Commits

v3.0.2 - April 20th, 2015

  • #998 - Add full support for es6 (@kpdecker)
  • #994 - Access Handlebars.Visitor in browser (@tamlyn)
  • #990 - Allow passing null/undefined literals subexpressions (@blimmer)
  • #989 - Source-map error with requirejs (@SteppeEagle)
  • #967 - can't access "this" property (@75lb)
  • Use captureStackTrace for error handler - a009a97
  • Ignore branches tested without coverage monitoring - 37a664b

Commits

v3.0.1 - March 24th, 2015

Commits

v3.0.0 - February 10th, 2015

  • #941 - Add support for dynamic partial names (@kpdecker)

  • #940 - Add missing reserved words so compiler knows to use array syntax: (@mattflaschen)

  • #938 - Fix example using #with helper (@diwo)

  • #930 - Add parent tracking and mutation to AST visitors (@kpdecker)

  • #926 - Depthed lookups fail when program duplicator runs (@kpdecker)

  • #918 - Add instructions for 'spec/mustache' to CONTRIBUTING.md, fix a few typos (@oneeman)

  • #915 - Ast update (@kpdecker)

  • #910 - Different behavior of {{@last}} when {{#each}} in {{#each}} (@zordius)

  • #907 - Implement named helper variable references (@kpdecker)

  • #906 - Add parser support for block params (@mmun)

  • #903 - Only provide aliases for multiple use calls (@kpdecker)

  • #902 - Generate Source Maps (@kpdecker)

  • #901 - Still escapes with noEscape enabled on isolated Handlebars environment (@zedknight)

  • #896 - Simplify BlockNode by removing intermediate MustacheNode (@mmun)

  • #892 - Implement parser for else chaining of helpers (@kpdecker)

  • #889 - Consider extensible parser API (@kpdecker)

  • #887 - Handlebars.noConflict() option? (@bradvogel)

  • #886 - Add SafeString to context (or use duck-typing) (@dominicbarnes)

  • #870 - Registering undefined partial throws exception. (@max-b)

  • #866 - comments don't respect whitespace control (@75lb)

  • #863 - + jsDelivr CDN info (@tomByrer)

  • #858 - Disable new default auto-indent at included partials (@majodev)

  • #856 - jspm compatibility (@MajorBreakfast)

  • #805 - Request: "strict" lookups (@nzakas)

  • Export the default object for handlebars/runtime - 5594416

  • Lookup partials when undefined - 617dd57

Compatibility notes:

  • Runtime breaking changes. Must match 3.x runtime and precompiler.
  • The AST has been upgraded to a public API.
    • There are a number of changes to this, but the format is now documented in docs/compiler-api.md
    • The Visitor API has been expanded to support mutation and provide a base implementation
  • The JavaScriptCompiler APIs have been formalized and documented. As part of the sourcemap handling these should be updated to return arrays for concatenation.
  • JavaScriptCompiler.namespace has been removed as it was unused.
  • SafeString is now duck typed on toHTML

New Features:

  • noConflict
  • Source Maps
  • Block Params
  • Strict Mode
  • @last and other each changes
  • Chained else blocks
  • @data methods can now have helper parameters passed to them
  • Dynamic partials

Commits

v2.0.0 - September 1st, 2014

  • Update jsfiddle to 2.0.0-beta.1 - 0670f65
  • Add contrib note regarding handlebarsjs.com docs - 4d17e3c
  • Play nice with gemspec version numbers - 64d5481

Commits

v2.0.0-beta.1 - August 26th, 2014

  • #787 - Remove whitespace surrounding standalone statements (@kpdecker)

  • #827 - Render false literal as “false” (@scoot557)

  • #767 - Subexpressions bug with hash and context (@evensoul)

  • Changes to 0/undefined handling

    • #731 - Strange behavior for {{#foo}} {{bar}} {{/foo}} when foo is 0 (@kpdecker)
    • #820 - strange behavior for {{foo.bar}} when foo is 0 or null or false (@zordius)
    • #837 - Strange input for custom helper ( foo.bar == false when foo is undefined ) (@zordius)
  • #819 - Implement recursive field lookup (@kpdecker)

  • #764 - This reference not working for helpers (@kpdecker)

  • #773 - Implicit parameters in {{#each}} introduces a peculiarity in helpers calling convention (@Bertrand)

  • #783 - helperMissing and consistency for different expression types (@ErisDS)

  • #795 - Turn the precompile script into a wrapper around a module. (@jwietelmann)

  • #823 - Support inverse sections on the with helper (@dan-manges)

  • #834 - Refactor blocks, programs and inverses (@mmun)

  • #852 - {{foo~}} space control behavior is different from older version (@zordius)

  • #835 - Templates overwritten if file is loaded twice

  • Expose escapeExpression on the root object - 980c38c

  • Remove nested function eval in blockHelperMissing - 6f22ec1

  • Fix compiler program de-duping - 9e3f824

Compatibility notes:

  • The default build now outputs a generic UMD wrapper. This should be transparent change but may cause issues in some environments.
  • Runtime compatibility breaks in both directions. Ensure that both compiler and client are upgraded to 2.0.0-beta.1 or higher at the same time.
    • programWithDepth has been removed an instead an array of context values is passed to fields needing depth lookups.
  • false values are now printed to output rather than silently dropped
  • Lines containing only block statements and whitespace are now removed. This matches the Mustache spec but may cause issues with code that expects whitespace to exist but would not otherwise.
  • Partials that are standalone will now indent their rendered content
  • AST.ProgramNode's signature has changed.
  • Numerious methods/features removed from psuedo-API classes
    • JavaScriptCompiler.register
    • JavaScriptCompiler.replaceStack no longer supports non-inline replace
    • Compiler.disassemble
    • DECLARE opcode
    • strip opcode
    • lookup opcode
    • Content nodes may have their string values mutated over time. original field provides the unmodified value.
  • Removed unused Handlebars.registerHelper inverse parameter
  • each helper requires iterator parameter

Commits

v2.0.0-alpha.4 - May 19th, 2014

  • Expose setup wrappers for compiled templates - 3638874

Commits

v2.0.0-alpha.3 - May 19th, 2014

  • #797 - Pass full helper ID to helperMissing when options are provided (@tomdale)
  • #793 - Ensure isHelper is coerced to a boolean (@mmun)
  • Refactor template init logic - 085e5e1

Commits

v2.0.0-alpha.2 - March 6th, 2014

  • #756 - fix bug in IE<=8 (no Array::map), closes #751 (@jenseng)
  • #749 - properly handle multiple subexpressions in the same hash, fixes #748 (@jenseng)
  • #743 - subexpression confusion/problem? (@waynedpj)
  • #746 - [CLI] support handlebars --version (@apfelbox)
  • #747 - updated grunt-saucelabs, failing tests revealed (@Jonahss)
  • Make JSON a requirement for the compiler. - 058c0fb
  • Temporarily kill the AWS publish CI step - 8347ee2

Compatibility notes:

  • A JSON polyfill is required to run the compiler under IE8 and below. It's recommended that the precompiler be used in lieu of running the compiler on these legacy environments.

Commits

v2.0.0-alpha.1 - February 10th, 2014

Compatibility notes:

  • helperMissing helper no longer has the indexed name argument. Helper name is now available via options.name.
  • Precompiler output has changed, which breaks compatibility with prior versions of the runtime and precompiled output.
  • JavaScriptCompiler.compilerInfo now returns generic objects rather than javascript source.
  • AST changes
    • INTEGER -> NUMBER
    • Additional PartialNode hash parameter
    • New RawBlockNode type
  • Data frames now have a _parent field. This is internal but is enumerable for performance/compatability reasons.

Commits

v1.3.0 - January 1st, 2014

  • #690 - Added support for subexpressions (@machty)
  • #696 - Fix for reserved keyword "default" (@nateirwin)
  • #692 - add line numbers to nodes when parsing (@fivetanley)
  • #695 - Pull options out from param setup to allow easier extension (@blakeembrey)
  • #694 - Make the environment reusable (@blakeembrey)
  • #636 - Print line and column of errors (@sgronblo)
  • Use literal for data lookup - c1a93d3
  • Add stack handling sanity checks - cd885bf
  • Fix stack id "leak" on replaceStack - ddfe457
  • Fix incorrect stack pop when replacing literals - f4d337d

Commits

v1.2.1 - December 26th, 2013

  • #684 - Allow any number of trailing characters for valid JavaScript variable (@blakeembrey)
  • #686 - Falsy AMD module names in version 1.2.0 (@kpdecker)

Commits

v1.2.0 - December 23rd, 2013

  • #675 - Cannot compile empty template for partial (@erwinw)
  • #677 - Triple brace statements fail under IE (@hamzaCM)
  • #655 - Loading Handlebars using bower (@niki4810)
  • #657 - Fixes issue where cli compiles non handlebars templates (@chrishoage)
  • #681 - Adds in-browser testing and Saucelabs CI (@kpdecker)
  • #661 - Add @first and @index to #each object iteration (@cgp)
  • #650 - Handlebars is MIT-licensed (@thomasboyt)
  • #641 - Document ember testing process (@kpdecker)
  • #662 - handlebars-source 1.1.2 is missing from RubyGems.
  • #656 - Expose COMPILER_REVISION checks as a hook (@machty)
  • #668 - Consider publishing handlebars-runtime as a separate module on npm (@dlmanning)
  • #679 - Unable to override invokePartial (@mattbrailsford)
  • #646 - Fix "\{{" immediately following "{{" (@dmarcotte)
  • Allow extend to work with non-prototyped objects - eb53f2e
  • Add JavascriptCompiler public API tests - 1a751b2
  • Add AST test coverage for more complex paths - ddea5be
  • Fix handling of boolean escape in MustacheNode - b4968bb

Compatibility notes:

  • @index and @first are now supported for each iteration on objects
  • Handlebars.VM.checkRevision and Handlebars.JavaScriptCompiler.prototype.compilerInfo now available to modify the version checking behavior.
  • Browserify users may link to the runtime library via require('handlebars/runtime')

Commits

v1.1.2 - November 5th, 2013

  • #645 - 1.1.1 fails under IE8 (@kpdecker)

  • #644 - Using precompiled templates (AMD mode) with handlebars.runtime 1.1.1 (@fddima)

  • Add simple binary utility tests - 96a45a4

  • Fix empty string compilation - eea708a

Commits

v1.1.1 - November 4th, 2013

  • #642 - handlebars 1.1.0 are broken with nodejs

  • Fix release notes link - 17ba258

Commits

v1.1.0 - November 3rd, 2013

  • #628 - Convert code to ES6 modules (@kpdecker)

  • #336 - Add whitespace control syntax (@kpdecker)

  • #535 - Fix for probable JIT error under Safari (@sorentwo)

  • #483 - Add first and last @ vars to each helper (@denniskuczynski)

  • #557 - \\{{foo}} escaping only works in some situations (@dmarcotte)

  • #552 - Added BOM removal flag. (@blessenm)

  • #543 - publish passing master builds to s3 (@fivetanley)

  • #608 - Add includeZero flag to if conditional

  • #498 - Handlebars.compile fails on empty string although a single blank works fine

  • #599 - lambda helpers only receive options if used with arguments

  • #592 - Optimize array and subprogram performance

  • #571 - uglify upgrade breaks compatibility with older versions of node

  • #587 - Partial inside partial breaks?

Compatibility notes:

  • The project now includes separate artifacts for AMD, CommonJS, and global objects.
    • AMD: Users may load the bundled handlebars.amd.js or handlebars.runtime.amd.js files or load individual modules directly. AMD users should also note that the handlebars object is exposed via the default field on the imported object. This gist provides some discussion of possible compatibility shims.
    • CommonJS/Node: Node loading occurs as normal via require
    • Globals: The handlebars.js and handlebars.runtime.js files should behave in the same manner as the v1.0.12 / 1.0.0 release.
  • Build artifacts have been removed from the repository. npm, components/handlebars.js, cdnjs, or the builds page should now be used as the source of built artifacts.
  • Context-stored helpers are now always passed the options hash. Previously no-argument helpers did not have this argument.

Commits

v1.0.12 / 1.0.0 - May 31 2013

  • #515 - Add node require extensions support (@jjclark1982)
  • #517 - Fix amd precompiler output with directories (@blessenm)
  • #433 - Add support for unicode ids
  • #469 - Add support for ? in ids
  • #534 - Protect from object prototype modifications
  • #519 - Fix partials with . name (@jamesgorrie)
  • #519 - Allow ID or strings in partial names
  • #437 - Require matching brace counts in escaped expressions
  • Merge passed partials and helpers with global namespace values
  • Add support for complex ids in @data references
  • Docs updates

Compatibility notes:

  • The parser is now stricter on {{{, requiring that the end token be }}}. Templates that do not follow this convention should add the additional brace value.
  • Code that relies on global the namespace being muted when custom helpers or partials are passed will need to explicitly pass an undefined value for any helpers that should not be available.
  • The compiler version has changed. Precompiled templates with 1.0.12 or higher must use the 1.0.0 or higher runtime.

Commits

v1.0.11 / 1.0.0-rc4 - May 13 2013

Commits

v1.0.10 - Node - Feb 27 2013

  • #428 - Fix incorrect rendering of nested programs
  • Fix exception message (@tricknotes)
  • Added negative number literal support
  • Concert library to single IIFE
  • Add handlebars-source gemspec (@machty)

Commits

v1.0.9 - Node - Feb 15 2013

  • Added Handlebars.create API in node module for sandboxed instances (@tommydudebreaux)

Commits

1.0.0-rc3 - Browser - Feb 14 2013

  • Prevent use of this or .. in illogical place (@leshill)
  • Allow AST passing for parse/compile/precompile (@machty)
  • Optimize generated output by inlining statements where possible
  • Check compiler version when evaluating templates
  • Package browser dist in npm package

Commits

Prior Versions

When upgrading from the Handlebars 0.9 series, be aware that the signature for passing custom helpers or partials to templates has changed.

Instead of:

template(context, helpers, partials, [data])

Use:

template(context, {helpers: helpers, partials: partials, data: data})