Security and Bugfix Releases - Ember 1.10.1, 1.11.2, 1.11.3


Because developers trust Ember.js to handle sensitive customer data in
production, we take the security of the project extremely seriously. Ember
remains one of the few JavaScript projects that has a clearly
outlined security policy
and a
low-traffic mailing list exclusively for security
announcements
.
Security Releases: Ember.js 1.10.1, 1.11.2
Today we are announcing the release of Ember.js 1.10.1 and 1.11.2, which
contain an important security fix.

  • 1.10.1 -- Compare View
  • 1.11.2 -- Compare View
  • Additionally the stable, beta, and master branches have all been patched

These releases contain a fix for an XSS vulnerability that
you can learn more about on our security mailing list:

It is recommended that you update immediately. In order to ease
upgrading, the only change in each release is the security fix.
We would like to thank Phillip Haines of Zestia
for working with us on identifying the issue and on the advisory process.
If you discover what you believe may be a security issue in Ember.js, we
ask that you follow our responsible disclosure
policy
.
If you are using Ember.js in production, please consider subscribing to
our security announcements mailing
list
. It is
extremely low-traffic and only contains announcements such as these.
Additional Reading

Ember.js 1.11.3
Ember.js 1.11.3 has also been released with a fix for nested {{render}} helpers. This is
in addition to the security patch.