ember-rails & ember-source dependency conflicts
JuanitoFatas opened this issue ยท 4 comments
Hi there!
I am trying to upgrade my application via bundle update with this Gemfile:
source "https://rubygems.org"
gem "handlebars-source", ">= 4.0.0"
gem "ember-rails", "~> 0.15.0"
gem "ember-source", "~> 1.7.0"
gem "ember-data-source", "~> 1.0.0.beta.4"
However, ember-rails & ember-source has a version conflict ๐ :
Bundler could not find compatible versions for gem "handlebars-source":
In Gemfile:
handlebars-source (>= 4.0.0)
ember-rails (~> 0.15.0) was resolved to 0.15.1, which depends on
handlebars-source (> 1.0.0)
ember-source (~> 1.7.0) was resolved to 1.7.0, which depends on
handlebars-source (~> 1.0)
Thanks in advance! ๐
Could you remove 'handlebars-source' from your Gemfile?
'ember-source' requires 'handlebars-source' 1.x to precompile its template.
Could you remove 'handlebars-source' from your Gemfile?
'ember-source' requires 'handlebars-source' 1.x to precompile its template.
handlebars-source has an security issue I need to make it >= 4.0.0 :(
Name: handlebars-source
Version: 1.3.0
Advisory: 131671
Criticality: Unknown
URL: https://blog.srcclr.com/handlebars_vulnerability_research_findings/
Title: handlebars.js - quoteless attributes in templates can lead to XSS
Solution: upgrade to >= 4.0.0
Ah, I see.
I think this security issue doesn't affect Ember application.
The reason is that Ember's bind-attr helper will escape bound attribute.
BTW ember-source 1.10.0 or later doesn't depend on handlebars-source.
If you use handlebars not only Ember's template engine, could you try to update ember-source to at least 1.10.0?
If you use handlebars not only Ember's template engine, could you try to update ember-source to at least 1.10.0?
This works!
Thanks for your prompt reply and your time ๐