SECURITY: Bump Handlebars to version 4.1.2

WS-2019-0064: Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects prototype, thus allowing an attacker to execute arbitrary code on the server.

package.json

@@ -11,7 +11,7 @@
     "bootbox": "3.2.0",
     "chart.js": "2.7.3",
     "favcount": "https://github.com/chrishunt/favcount",
-    "handlebars": "^4.1.1",
+    "handlebars": "^4.1.2",
     "highlight.js": "https://github.com/highlightjs/highlight.js",
     "htmlparser": "https://github.com/tautologistics/node-htmlparser",
     "intersection-observer": "^0.5.1",

vendor/assets/javascripts/handlebars.js

@@ -1,7 +1,7 @@
 /**!
 
  @license
- handlebars v4.1.1
+ handlebars v4.1.2
 
 Copyright (C) 2011-2017 by Yehuda Katz
 
@@ -275,7 +275,7 @@ return /******/ (function(modules) { // webpackBootstrap
 
 	var _logger2 = _interopRequireDefault(_logger);
 
-	var VERSION = '4.1.1';
+	var VERSION = '4.1.2';
 	exports.VERSION = VERSION;
 	var COMPILER_REVISION = 7;
 
@@ -868,7 +868,13 @@ return /******/ (function(modules) { // webpackBootstrap
 
 	exports['default'] = function (instance) {
 	  instance.registerHelper('lookup', function (obj, field) {
-	    return obj && obj[field];
+	    if (!obj) {
+	      return obj;
+	    }
+	    if (field === 'constructor' && !obj.propertyIsEnumerable(field)) {
+	      return undefined;
+	    }
+	    return obj[field];
 	  });
 	};
 

vendor/assets/javascripts/handlebars.runtime.js

@@ -1,7 +1,7 @@
 /**!
 
  @license
- handlebars v4.1.1
+ handlebars v4.1.2
 
 Copyright (C) 2011-2017 by Yehuda Katz
 
@@ -207,7 +207,7 @@ return /******/ (function(modules) { // webpackBootstrap
 
 	var _logger2 = _interopRequireDefault(_logger);
 
-	var VERSION = '4.1.1';
+	var VERSION = '4.1.2';
 	exports.VERSION = VERSION;
 	var COMPILER_REVISION = 7;
 
@@ -800,7 +800,13 @@ return /******/ (function(modules) { // webpackBootstrap
 
 	exports['default'] = function (instance) {
 	  instance.registerHelper('lookup', function (obj, field) {
-	    return obj && obj[field];
+	    if (!obj) {
+	      return obj;
+	    }
+	    if (field === 'constructor' && !obj.propertyIsEnumerable(field)) {
+	      return undefined;
+	    }
+	    return obj[field];
 	  });
 	};
 

yarn.lock

@@ -1036,10 +1036,10 @@ graceful-fs@^4.1.2:
   resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.1.15.tgz#ffb703e1066e8a0eeaa4c8b80ba9253eeefbfb00"
   integrity sha512-6uHUhOPEBgQ24HM+r6b/QwWfZq+yiFcipKFrOFiBEnWdy5sdzYoi+pJeQaPI5qOLRFqWmAXUPQNsielzdLoecA==
 
-handlebars@^4.1.1:
-  version "4.1.1"
-  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.1.1.tgz#6e4e41c18ebe7719ae4d38e5aca3d32fa3dd23d3"
-  integrity sha512-3Zhi6C0euYZL5sM0Zcy7lInLXKQ+YLcF/olbN010mzGQ4XVm50JeyBnMqofHh696GrciGruC7kCcApPDJvVgwA==
+handlebars@^4.1.2:
+  version "4.1.2"
+  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.1.2.tgz#b6b37c1ced0306b221e094fc7aca3ec23b131b67"
+  integrity sha512-nvfrjqvt9xQ8Z/w0ijewdD/vvWDTOweBUm96NTr66Wfvo1mJenBLwcYmPs3TIBP5ruzYGD7Hx/DaM9RmhroGPw==
   dependencies:
     neo-async "^2.6.0"
     optimist "^0.6.1"