[Security] Bump handlebars from 4.5.1 to 4.7.7

[dependabot-preview]

Bumps handlebars from 4.5.1 to 4.7.7. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Prototype Pollution in handlebars Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Affected versions: >= 4.0.0 < 4.5.3

Sourced from The GitHub Security Advisory Database.

Arbitrary Code Execution in handlebars Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

The following template can be used to demonstrate the vulnerability:

	{{#with split as |a|}}
		{{pop (push "alert('Vulnerable Handlebars JS');")}}
		{{#with (concat (lookup join (slice 0 1)))}}
			{{#each (slice 2 3)}}
				{{#with (apply 0 a)}}
					{{.}}
				{{/with}}
			{{/each}}
		{{/with}}
	{{/with}}
{{/with}}```
Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
Affected versions: >= 4.0.0 < 4.5.2

Sourced from The Node Security Working Group.

Denial of Service Crash Node.js process from handlebars using a small and simple source

Affected versions: <4.6.0

Changelog

Sourced from handlebars's changelog.

v4.7.7 - February 15th, 2021

• fix weird error in integration tests - eb860c0
• fix: check prototype property access in strict-mode (#1736) - b6d3de7
• fix: escape property names in compat mode (#1736) - f058970
• refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
• chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

• the changes from version 4.6.0 now also apply in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

v4.7.6 - April 3rd, 2020

Chore/Housekeeping:

• #1672 - Switch cmd parser to latest minimist (@dougwilson

Compatibility notes:

• Restored Node.js compatibility

Commits

v4.7.5 - April 2nd, 2020

Chore/Housekeeping:

• Node.js version support has been changed to v6+ Reverted in 4.7.6

Compatibility notes:

• Node.js < v6 is no longer supported Reverted in 4.7.6

Commits

v4.7.4 - April 1st, 2020

Chore/Housekeeping:

• #1666 - Replaced minimist with yargs for handlebars CLI (@aorinevo, @AviVahl & @fabb)

Compatibility notes:

... (truncated)

Commits

• a9a8e40 v4.7.7
• e66aed5 Update release notes
• 7d4d170 disable IE in Saucelabs tests
• eb860c0 fix weird error in integration tests
• b6d3de7 fix: check prototype property access in strict-mode (#1736)
• f058970 fix: escape property names in compat mode (#1736)
• 77825f8 refator: In spec tests, use expectTemplate over equals and shouldThrow (#1683)
• 3789a30 chore: start testing on Node.js 12 and 13
• e6ad93e v4.7.6
• 2bf4fc6 Update release notes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If all status checks pass Dependabot will automatically merge this pull request during working hours.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

• Update frequency
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/manifold/ui/6gsfsmrt4
✅ Preview: https://ui-git-dependabot-npmandyarnhandlebars-477.manifold.vercel.app

[dependabot-preview]

One of your CI runs failed on this pull request, so Dependabot won't merge it.

• changelog

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

[codecov]

Codecov Report

Merging #1072 (a107081) into master (0c9fa08) will decrease coverage by 0.64%.
The diff coverage is 86.01%.

@@            Coverage Diff             @@
##           master    #1072      +/-   ##
==========================================
- Coverage   79.46%   78.82%   -0.65%     
==========================================
  Files          81       80       -1     
  Lines        1534     1577      +43     
  Branches      394      356      -38     
==========================================
+ Hits         1219     1243      +24     
- Misses        281      304      +23     
+ Partials       34       30       -4     

Impacted Files	Coverage Δ
...ld-data-provision-button/create-with-owner.graphql	100.00% <ø> (ø)
src/data/resource.tsx	75.00% <ø> (ø)
src/utils/marketplace.ts	42.85% <ø> (+5.35%)	⬆️
...d-data-has-resource/manifold-data-has-resource.tsx	79.48% <42.85%> (ø)
...ifold-data-sso-button/manifold-data-sso-button.tsx	86.20% <50.00%> (-0.46%)	⬇️
...urce-credentials/manifold-resource-credentials.tsx	92.30% <50.00%> (ø)
.../manifold-resource-list/manifold-resource-list.tsx	78.57% <60.00%> (-0.92%)	⬇️
...resource-container/manifold-resource-container.tsx	86.48% <75.00%> (-4.69%)	⬇️
src/global/app.ts	65.71% <78.84%> (ø)
...ents/manifold-active-plan/manifold-active-plan.tsx	59.09% <100.00%> (+2.56%)	⬆️
... and 50 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5c62b31...a107081. Read the comment docs.