Because developers trust Ember.js to handle sensitive customer data in production, we take the security of the project seriously. The Ember project maintains a clearly outlined security policy and a low-traffic mailing list exclusively for security announcements.
Security Releases: Ember.js 1.11.4, 1.12.2, 1.13.12, 2.0.3, 2.1.2, 2.2.1
Today we are announcing the release of Ember.js 1.11.4, 1.12.2, 1.13.12, 2.0.3, 2.1.2 and 2.2.1, which contain an important security fix.
- 1.11.4 -- Compare View
- 1.12.2 -- Compare View
- 1.13.12 -- Compare View
- 2.0.3 -- Compare View
- 2.1.2 -- Compare View
- 2.2.1 -- Compare View
- Additionally, the stable, beta and master branches have been patched.
These releases contain a fix for an XSS vulnerability that you can learn more about on our security mailing list:
It is recommended that you update immediately. In order to ease upgrading, the only change in each release is the security fix.
We would like to thank Roman Shafigullin at LinkedIn for reporting the issue, as well as core team member Robert Jackson at Twitch for patching the vulnerability and doing the release engineering.
If you discover what you believe may be a security issue in Ember.js, we ask that you follow our responsible disclosure policy.
If you are using Ember.js in production, please consider subscribing to our security announcements mailing list. It is extremely low-traffic and only contains announcements such as these.