Update Handlebars dependency to version 4 #91
Conversation
|
I'm actually holding off from doing this on purpose as there's a breaking change in 4 that I haven't properly thought through the consequences of yet. Instead, I'm going to be pushing a few changes back to the v3 branch of handlebars short term, publish a new version of express-hbs to use that, then also do v4. S'been on my todo list for the past week, will try to get to it asap! |
For clarity, there's a fix for a vulnerability in handlebars + the need to update uglify-js |
|
Awesome--will close this. Out of curiosity, what's the breaking change? The tests pass and nothing really jumped out of from changelog from v3 -> v4. |
|
Ha, it's actually a change I requested (and am very happy about) however it has the potential to cause weird bugs in old themes for sure: handlebars-lang/handlebars.js#1028 From the 4.0 compat notes:
I think in all likelihood that this will only a affect very, very small number of people, because it was easier to workaround this weirdness than to understand and use it in templates. Casper has some inconsistencies between the author.hbs and tag.hbs templates which I have never cleaned up for this exact reason. However, I figure it's safer to update v3 to be secure for now, and then do a bit of data mining on popular themes to see if any of them are affected before making the breaking change, possibly as the part of the 0.8 release for Ghost. That also gives anyone else depending on express-hbs the same opportunity = a secure upgrade and then a breaking one. |
|
Turns out trying to publish a security fix to v3 of handlebars is not easy enough to warrant doing it - can you reopen this? |
|
I didn't expect it to come back so I deleted the branch. I opened a new PR #92. |
< 4.0shipped with a version ofuglify-jsthat has some issues. Upgrading to 4 brings in a fixed version ofuglify-js.