Bump handlebars from 4.0.11 to 4.1.2

[dependabot-preview[bot]]

Bumps handlebars from 4.0.11 to 4.1.2.

Changelog

Sourced from handlebars's changelog.

v4.1.2 - April 13th, 2019

Chore/Test:

• #1515 - Port over linting and test for typings (@​zimmi88)
• chore: add missing typescript dependency, add package-lock.json - 594f1e3
• test: remove safari from saucelabs - 871accc

Bugfixes:

• fix: prevent RCE through the "lookup"-helper - cd38583

Compatibility notes:

Access to the constructor of a class thought {{lookup obj "constructor" }} is now prohibited. This closes a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.

This kind of access is not the intended use of Handlebars and leads to the vulnerability described in #1495. We will not increase the major version, because such use is not intended or documented, and because of the potential impact of the issue (we fear that most people won't use a new major version and the issue may not be resolved on many systems).

Commits

v4.1.1 - March 16th, 2019

Bugfixes:

• fix: add "runtime.d.ts" to allow "require('handlebars/runtime')" in TypeScript - 5cedd62

Refactorings:

• replace "async" with "neo-async" - 048f2ce
• use "substring"-function instead of "substr" - 445ae12

Compatibility notes:

• This is a bugfix release. There are no breaking change and no new features.

Commits

v4.1.0 - February 7th, 2019

New Features

• import TypeScript typings - 27ac1ee

Security fixes:

• disallow access to the constructor in templates to prevent RCE - 42841c4, #1495

Housekeeping

• chore: fix components/handlebars package.json and auto-update on release - bacd473
• chore: Use node 10 to build handlebars - 78dd89c
• chore/doc: Add more release docs - 6b87c21

... (truncated)

Commits

• 10b5fcf v4.1.2
• dd0144c Update release notes
• 594f1e3 chore: add missing typescript dependency, add package-lock.json
• 871accc test: remove safari from saucelabs
• cd38583 fix: prevent RCE through the "lookup"-helper
• c454d94 Merge pull request #1515 from zimmi88/4.x-typings-lint
• 9cfb5dd Merge pull request #1516 from phil-davis/revert-double-release-notes
• be44246 Remove triplicate of v4.0.12 release notes
• 002561b Revert "Update release notes"
• 3fb6687 Port over linting and test for typings
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[codecov[bot]]

Codecov Report

Merging #226 into develop will not change coverage. The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop     #226   +/-   ##
========================================
  Coverage    66.66%   66.66%           
========================================
  Files          146      146           
  Lines         1926     1926           
========================================
  Hits          1284     1284           
  Misses         642      642

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 8f0edaf...13128d5. Read the comment docs.

[codecov[bot]]

Codecov Report

Merging #226 into develop will not change coverage. The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop     #226   +/-   ##
========================================
  Coverage    66.66%   66.66%           
========================================
  Files          146      146           
  Lines         1926     1926           
========================================
  Hits          1284     1284           
  Misses         642      642

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 8f0edaf...13128d5. Read the comment docs.