Author Topic: Mibew dependencies (Read 6180 times)

millerthegorilla · « **on:** January 13, 2016, 08:56:48 AM »

Hi, I just started looking at mibew to integrate into a web site that I am developing that has an open source solution cms. I was unfamiliar with handlebars/marionette before inspecting the code, so I'm very glad that I did, since they are valuable additions to my web toolkit, however, I noticed that some of the backend versions are quite out of date. Do you intend to update the dependencies?

Handlebars, for example, is at v3.0.3 in the mibew git codebase and the GitHub current version of handlebars is v4.0.5. None of the dependencies seem to have been updated since 2014.

Is it possible to update dependencies from the cloned git source by using bower or similar?

millerthegorilla · « **Reply #1 on:** January 13, 2016, 09:56:16 AM »

Hi, I checked the bower.json and upgraded all the dependencies to the latest releases, and then ran bower update. Then I uninstalled lodash, and reinstalled using the command lodash@3.10.1. (lodash's latest version is 4.0).

This upgraded all the dependencies. I installed the built version and it is all working fine. Many thanks.

millerthegorilla · « **Reply #2 on:** January 13, 2016, 10:25:04 AM »

Hi, I updated the dependencies of mibew by updating the versions of the required libraries in the bower.json file, and then ran bower update. I then removed lodash and reinstalled version 3.10.1 (the last revision of the 3.0 branch) before running 'gulp default'. The resulting code installed ok, and the back end is fine, but when I call the client, the iframe is constructed with round corners but no visible content.

I am guessing that this is due to the updated dependencies breaking the code in some way. I have submitted an issue on git hub, but is there anyway of debugging mibew?

Dmitriy Simushev · « **Reply #3 on:** January 13, 2016, 11:03:59 AM »

First of all I don't get why do you need to update dependencies. Seriously, why?

As I know Mibew works fine with current dependencies, so the only reason to update them are a security problem or if something becomes broken.

I don't think we will spend our time to completely update dependencies until the next major release of Mibew (3.0)

millerthegorilla · « **Reply #4 on:** January 13, 2016, 03:30:25 PM »

There have been a number of security fixes for the codebases pulled into the js since mibew release. For instance, in handlebars.js v. 4.0.0

Quote

The = character is now HTML escaped. This closes a potential exploit case when using unquoted attributes, i.e. <div foo={{bar}}>. In general it's recommended that attributes always be quoted when their values are generated from a mustache to avoid any potential exploit surfaces.

from https://github.com/wycats/handlebars.js/blob/master/release-notes.md

millerthegorilla · « **Reply #5 on:** January 13, 2016, 03:34:52 PM »

I don't know moustache/handlebars at all as a templating language, so maybe its overkill, but I don't want to risk security issues due to the database containing for sale goods.

Dmitriy Simushev · « **Reply #6 on:** January 14, 2016, 01:51:40 PM »

I don't aware of any handlebars security problems. Thus I believe the upgrade is not necessary.

Mibew Web Messenger

News:

Author Topic: Mibew dependencies (Read 6180 times)

millerthegorilla

Mibew dependencies

millerthegorilla

Re: Mibew dependencies

millerthegorilla

Re: Mibew dependencies

Dmitriy Simushev

Re: Mibew dependencies

millerthegorilla

Re: Mibew dependencies

millerthegorilla

Re: Mibew dependencies

Dmitriy Simushev

Re: Mibew dependencies