chore(deps): Update dependency handlebars to version 4.7.7 🌟

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
handlebars (source)	4.3.5 → 4.7.7

---

Prototype Pollution in handlebars

CVE-2021-23383 / GHSA-765h-qjxv-5f44

More information

Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-23383
• https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
• https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
• https://www.npmjs.com/package/handlebars
• https://security.netapp.com/advisory/ntap-20210618-0007/
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
• https://github.com/advisories/GHSA-765h-qjxv-5f44

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Remote code execution in handlebars when compiling templates

CVE-2021-23369 / GHSA-f2jv-r9rf-7988

More information

Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-23369
• https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
• https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
• https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
• https://security.netapp.com/advisory/ntap-20210604-0008/
• https://github.com/advisories/GHSA-f2jv-r9rf-7988

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

handlebars-lang/handlebars.js (handlebars)

v4.7.7

Compare Source

• fix weird error in integration tests - eb860c0
• fix: check prototype property access in strict-mode (#​1736) - b6d3de7
• fix: escape property names in compat mode (#​1736) - f058970
• refactor: In spec tests, use expectTemplate over equals and shouldThrow (#​1683) - 77825f8
• chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

• the changes from version 4.6.0 now also apply
  in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods
  can be allowed via runtime-options. See #​1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties
  from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.