Bump handlebars from 4.0.12 to 4.0.14 in /src/webportal

[dependabot]

Bumps handlebars from 4.0.12 to 4.0.14.

Changelog

Sourced from handlebars's changelog.

v4.0.14 - April 13th, 2019

Chore/Test:

• test: remove safari from saucelabs - 871accc

Bugfixes:

• fix: prevent RCE through the "lookup"-helper - cd38583

Compatibility notes:

Access to the constructor of a class thought {{lookup obj "constructor" }} is now prohibited. This closes
a leak that only half closed in versions 4.0.13 and 4.1.0, but it is a slight incompatibility.

This kind of access is not the intended use of Handlebars and leads to the vulnerability described
in #1495. We will not increase the major version, because such use is not intended or documented,
and because of the potential impact of the issue (we fear that most people won't use a new major version
and the issue may not be resolved on many systems).

Commits

v4.0.13 - February 7th, 2019

New Features

• none

Security fixes:

• disallow access to the constructor in templates to prevent RCE - 42841c4, #1495

Housekeeping

• chore: fix components/handlebars package.json and auto-update on release - bacd473
• chore: Use node 10 to build handlebars - 78dd89c

Compatibility notes:

Access to class constructors (i.e. ({}).constructor) is now prohibited to prevent
Remote Code Execution. This means that following construct will no work anymore:

class SomeClass {
}

SomeClass.staticProperty = 'static'

var template = Handlebars.compile('{{constructor.staticProperty}}');
document.getElementById('output').innerHTML = template(new SomeClass());
// expected: 'static', but now this is empty.

... (truncated)

Commits

• 272362e v4.0.14
• 2a5a801 Update release notes
• 7375da4 test: remove safari from saucelabs
• d4e64b6 chore: .gitignore more files
• 85c8783 fix: prevent RCE through the "lookup"-helper
• d97a045 chore: reactivate saucelabs-tests
• 5f47c4a test: make security testcase internet explorer compatible
• 7c2fbcc chore: Use node 10 to build handlebars
• 9d4fff1 v4.0.13
• 2d49b67 Update release notes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

[coveralls]

Coverage remained the same at 53.217% when pulling d3e83e4 on dependabot/npm_and_yarn/src/webportal/handlebars-4.0.14 into 6cc8701 on master.

[sunqinzheng]

@dependabot squash and merge