Bump handlebars from 4.2.0 to 4.5.3 Bumps [handlebars](https://github.com/wycats/handlebars.js) from 4.2.0 to 4.5.3. <details> <summary>Changelog</summary> *Sourced from [handlebars's changelog](https://github.com/wycats/handlebars.js/blob/master/release-notes.md).* > ## v4.5.3 - November 18th, 2019 > Bugfixes: > > - fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7 > - fix: add more properties required to be enumerable - 1988878 > > Chores / Build: > - fix: use !== 0 instead of != 0 - c02b05f > - add chai and dirty-chai and sinon, for cleaner test-assertions and spies, > deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0 > > Security: > > - The properties `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` > have been added to the list of "properties that must be enumerable". > If a property by that name is found and not enumerable on its parent, > it will silently evaluate to `undefined`. This is done in both the compiled template and the "lookup"-helper. > This will prevent new Remote-Code-Execution exploits that have been > published recently. > > Compatibility notes: > > - Due to the security-fixes. The semantics of the templates using > `__proto__`, `__defineGetter__`, `__defineSetter__` and `__lookupGetter__` in the respect that those expression now return > `undefined` rather than their actual value from the proto. > - The semantics have not changed in cases where the properties are enumerable, as in: > > ```js > { > __proto__: 'some string' > } > ``` > > - The change may be breaking in that respect, but we still only > increase the patch-version, because the incompatible use-cases > are not intended, undocumented and far less important than fixing > Remote-Code-Execution exploits on existing systems. > > > > [Commits](handlebars-lang/handlebars.js@v4.5.2...v4.5.3) > > ## v4.5.2 - November 13th, 2019 > # Bugfixes > > - fix: use String(field) in lookup when checking for "constructor" - d541378 > - test: add fluent API for testing Handlebars - c2ac79c > > Compatibility notes: > - no incompatibility are to be expected ></tr></table> ... (truncated) </details> <details> <summary>Commits</summary> - [`c819c8b`](handlebars-lang/handlebars.js@c819c8b) v4.5.3 - [`827c9d0`](handlebars-lang/handlebars.js@827c9d0) Update release notes - [`f7f05d7`](handlebars-lang/handlebars.js@f7f05d7) fix: add "no-prototype-builtins" eslint-rule and fix all occurences - [`1988878`](handlebars-lang/handlebars.js@1988878) fix: add more properties required to be enumerable - [`886ba86`](handlebars-lang/handlebars.js@886ba86) test/chore: add chai/expect and sinon to "runtime"-environment - [`0817dad`](handlebars-lang/handlebars.js@0817dad) test: add sinon as global variable to eslint in the specs - [`93516a0`](handlebars-lang/handlebars.js@93516a0) test: add sinon.js for spies, deprecate current assertions - [`93e284e`](handlebars-lang/handlebars.js@93e284e) chore: add chai and dirty-chai for better test assertions - [`c02b05f`](handlebars-lang/handlebars.js@c02b05f) fix: use !== 0 instead of != 0 - [`8de121d`](handlebars-lang/handlebars.js@8de121d) v4.5.2 - Additional commits viewable in [compare view](handlebars-lang/handlebars.js@v4.2.0...v4.5.3) </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=handlebars&package-manager=npm_and_yarn&previous-version=4.2.0&new-version=4.5.3)](https://help.github.com/articles/configuring-automated-security-fixes) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/rust-lang/crates.io/network/alerts). </details>