Handlebars.js: Version 4.6.0 breaks istanbul (code coverage) html reporter

Created on 10 Jan 2020  路  12Comments  路  Source: handlebars-lang/handlebars.js

See e.g. https://github.com/facebook/jest/issues/9388. Installing [email protected] into the reproduction provided there fixes the report.

Note that the latest version of istanbul-reports no longer uses handlebars, but e.g. the version currently shipped with Jest does use it. Source code here: https://github.com/istanbuljs/istanbuljs/tree/istanbul-reports%402.2.5/packages/istanbul-reports/lib/html

picture SimenB
👍8

Most helpful comment

New version of istanbul-reports published, so this is solved from my perspective.

picture SimenB on 12 Jan 2020
👍4

All 12 comments

Same here. Install 4.5.3 and work fine!

ymoreiratiti picture ymoreiratiti on 10 Jan 2020

@SimenB This will be due to the removal of the ability to use prototype methods.I imagine that is what Istanbul uses (or used to use).

See the release notes:
"Access to prototype properties is forbidden completely by default, specific properties or methods can be allow via runtime-options. See #1633 for details."

matthaywardwebdesign picture matthaywardwebdesign on 10 Jan 2020

See #1633 and #1635 for details and explanations

nknapp picture nknapp on 10 Jan 2020

@coreyfarrell @bcoe thoughts on releasing a patch version of istanbul-reports@2 that removes Istanbul (cherry picking the change that went into v3)? Or update the templates to work with [email protected]?

SimenB picture SimenB on 10 Jan 2020

I'll try to release #1635 today

nknapp picture nknapp on 10 Jan 2020

@SimenB is #1635 a feasible solution for you?

nknapp picture nknapp on 10 Jan 2020

Since a patch will be needed for [email protected] to work again my plan is to back-port the handlebars removal patch and do a special release of that.

I would lean towards saying that #1635 should not be rushed on our behalf since I'm unlikely to make a release to use the added options (#1635 alone will not fix [email protected]).

coreyfarrell picture coreyfarrell on 10 Jan 2020

It is not only because of Istanbul. Typedoc and others need it too.

But its good to know you have another plan.

I'm sorry for the hassle this caused. The security issues are certainly not that relevant for your project. But they are for others. It wasn't an easy decision to break the behaviour in a minor bump, but I still think it is better to break builds than to have insecure servers with known exploits

nknapp picture nknapp on 10 Jan 2020
👍1

Can we close this issue again?

nknapp picture nknapp on 10 Jan 2020

@SimenB it would be interesting to know how you are replacing handlebars. Custom implementation, different framework? Just interested

nknapp picture nknapp on 11 Jan 2020

I don't maintain istanbul, but you can see this commit which replaces it with string templates and an escaper: https://github.com/istanbuljs/istanbuljs/commit/23a56edefaa776d5b04a051988a7202a8d294c68. The templates are relatively simple without using advanced handlebars features, so it seems straightforward

Can we close this issue again?

I'm fine with closing although this won't be fixed until Istanbul has a release (hopefully soonish 馃檪)

SimenB picture SimenB on 11 Jan 2020

New version of istanbul-reports published, so this is solved from my perspective.

SimenB picture SimenB on 12 Jan 2020
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

stevenvachon picture stevenvachon  路  15Comments
robincsamuel picture robincsamuel  路  24Comments
thany picture thany  路  82Comments
matrym picture matrym  路  37Comments
RozzyNoder picture RozzyNoder  路  12Comments