Security Releases - Ember 1.2.2, and 1.3.2

– By Robert Jackson

Because developers trust Ember.js to handle sensitive customer data in production, we take the security of the project extremely seriously. In fact, we're one of the few JavaScript projects that has a clearly outlined security policy and a low-traffic mailing list exclusively for security announcements.

Today we are announcing the release of Ember.js 1.2.2, 1.3.2, and 1.4.0-beta.6 that contain an important security fix:

These releases contain the fix for an XSS vulnerability that you can learn more about on our security mailing list:

It is recommended that you update immediately. In order to ease upgrading, the only major change in each release is the security fix (other than 1.4.0-beta.6, which is a normal beta channel release with the fix rolled in).

We would like to thank Hyder Ali of Zoho for responsibly disclosing and working with us on the patch and the advisory.

If you discover what you believe may be a security issue in Ember.js, we ask that you follow our responsible disclosure policy.

If you are using Ember.js in production, please consider subscribing to our security announcements mailing list. It is extremely low-traffic and only contains announcements such as these.

Additional Reading