Security and Bugfix Releases - Ember 1.10.1, 1.11.2, 1.11.3

Because developers trust Ember.js to handle sensitive customer data in production, we take the security of the project extremely seriously. Ember remains one of the few JavaScript projects that has a clearly outlined security policy and a low-traffic mailing list exclusively for security announcements.

Security Releases: Ember.js 1.10.1, 1.11.2

Today we are announcing the release of Ember.js 1.10.1 and 1.11.2, which contain an important security fix.

• 1.10.1 -- Compare View
• 1.11.2 -- Compare View
• Additionally the stable, beta, and master branches have all been patched

These releases contain a fix for an XSS vulnerability that you can learn more about on our security mailing list:

• CVE-2015-1866

It is recommended that you update immediately. In order to ease upgrading, the only change in each release is the security fix.

We would like to thank Phillip Haines of Zestia for working with us on identifying the issue and on the advisory process.

If you discover what you believe may be a security issue in Ember.js, we ask that you follow our responsible disclosure policy.

If you are using Ember.js in production, please consider subscribing to our security announcements mailing list. It is extremely low-traffic and only contains announcements such as these.

Additional Reading

• Ember.js Security Policy Announcement
• Ember.js Security Policy
• Ember.js Security Group

Ember.js 1.11.3

Ember.js 1.11.3 has also been released with a fix for nested {{render}} helpers. This is in addition to the security patch.

• 1.11.3 -- Compare View