npmpackage.info

Gathering detailed insights and metrics for handlebars

Other packages similar to handlebars

handlebars-layouts

3.1.4

Handlebars helpers which implement layout blocks similar to Jade, Jinja, Nunjucks, Swig, and Twig.

handlebars-utils

1.0.6

Utils for handlebars helpers. Externalized from handlebars, to allow helpers to use the utils without having to depend on handlebars itself.

handlebars-loader

1.7.3

handlebars loader module for webpack

express-handlebars

8.0.3

A Handlebars view engine for Express which doesn't suck.

Gathering detailed insights and metrics for handlebars

handlebars - 4.7.8 | npmpackage.info

handlebars

Minimal templating on steroids.

4.7.8

18,324

MIT

JavaScript

2.65 MB

Installations

npm install handlebars

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS, UMD

Min. Node Version

>=0.4.7

Node Version

18.16.1

NPM Version

9.5.1 Score

97.5

Supply Chain

99.3

Quality

81.9

Maintenance

100

Vulnerability

100

License

Pull Requests

Open

28

Total

576

Closed

185

Merged

363

Issues

Open

79

Total

1,392

Closed

1,313

Releases

v4.7.8

Updated on Aug 01, 2023

View All 1 releases

Languages

JavaScript

HTML

TypeScript

Shell

Ruby

Handlebars

Mustache

JavaScript (94.65%)

HTML (2.19%)

TypeScript (2.19%)

Shell (0.53%)

Ruby (0.24%)

Handlebars (0.13%)

Mustache (0.06%)

Developer

handlebars-lang

Download Statistics

Total Downloads

Last Day

Last Week

Last Month

Last Year

GitHub Statistics

MIT License

18,324 Stars

2,047 Commits

2,049 Forks

444 Watchers

17 Branches

188 Contributors

Updated on Jul 15, 2025

Maintainers

View All 188 Contributors

Package Meta Information

Latest Version

4.7.8

Package Id

handlebars@4.7.8

Unpacked Size

2.65 MB

Size

632.00 kB

File Count

118

NPM Version

9.5.1

Node Version

18.16.1

Published on

Aug 01, 2023

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

NaN

Compared to previous day

Last Week

NaN

Compared to previous week

Last Month

NaN

Compared to previous month

Last Year

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Handlebars.js

Handlebars.js is an extension to the Mustache templating language created by Chris Wanstrath. Handlebars.js and Mustache are both logicless templating languages that keep the view and the code separated like we all know they should be.

Checkout the official Handlebars docs site at https://handlebarsjs.com/ and the live demo at http://tryhandlebarsjs.com/.

Installing

See our installation documentation.

Usage

In general, the syntax of Handlebars.js templates is a superset of Mustache templates. For basic syntax, check out the Mustache manpage.

Once you have a template, use the Handlebars.compile method to compile the template into a function. The generated function takes a context argument, which will be used to render the template.

1var source = "<p>Hello, my name is {{name}}. I am from {{hometown}}. I have " +
2             "{{kids.length}} kids:</p>" +
3             "<ul>{{#kids}}<li>{{name}} is {{age}}</li>{{/kids}}</ul>";
4var template = Handlebars.compile(source);
5
6var data = { "name": "Alan", "hometown": "Somewhere, TX",
7             "kids": [{"name": "Jimmy", "age": "12"}, {"name": "Sally", "age": "4"}]};
8var result = template(data);
9
10// Would render:
11// <p>Hello, my name is Alan. I am from Somewhere, TX. I have 2 kids:</p>
12// <ul>
13//   <li>Jimmy is 12</li>
14//   <li>Sally is 4</li>
15// </ul>

Full documentation and more examples are at handlebarsjs.com.

Precompiling Templates

Handlebars allows templates to be precompiled and included as javascript code rather than the handlebars template allowing for faster startup time. Full details are located here.

Differences Between Handlebars.js and Mustache

Handlebars.js adds a couple of additional features to make writing templates easier and also changes a tiny detail of how partials work.

Block expressions have the same syntax as mustache sections but should not be confused with one another. Sections are akin to an implicit each or with statement depending on the input data and helpers are explicit pieces of code that are free to implement whatever behavior they like. The mustache spec defines the exact behavior of sections. In the case of name conflicts, helpers are given priority.

Compatibility

There are a few Mustache behaviors that Handlebars does not implement.

Handlebars deviates from Mustache slightly in that it does not perform recursive lookup by default. The compile time compat flag must be set to enable this functionality. Users should note that there is a performance cost for enabling this flag. The exact cost varies by template, but it's recommended that performance sensitive operations should avoid this mode and instead opt for explicit path references.
The optional Mustache-style lambdas are not supported. Instead Handlebars provides its own lambda resolution that follows the behaviors of helpers.
Alternative delimiters are not supported.

Supported Environments

Handlebars has been designed to work in any ECMAScript 3 environment. This includes

Node.js
Chrome
Firefox
Safari 5+
Opera 11+
IE 6+

Older versions and other runtimes are likely to work but have not been formally tested. The compiler requires JSON.stringify to be implemented natively or via a polyfill. If using the precompiler this is not necessary.

Performance

In a rough performance test, precompiled Handlebars.js templates (in the original version of Handlebars.js) rendered in about half the time of Mustache templates. It would be a shame if it were any other way, since they were precompiled, but the difference in architecture does have some big performance advantages. Justin Marney, a.k.a. gotascii, confirmed that with an independent test. The rewritten Handlebars (current version) is faster than the old version, with many performance tests being 5 to 7 times faster than the Mustache equivalent.

Upgrading

See release-notes.md for upgrade notes.

Known Issues

See FAQ.md for known issues and common pitfalls.

Handlebars in the Wild

Assemble, by @jonschlinkert and @doowb, is a static site generator that uses Handlebars.js as its template engine.
Cory, by @leo, is another tiny static site generator
CoSchedule An editorial calendar for WordPress that uses Handlebars.js
dashbars A modern helper library for Handlebars.js.
Ember.js makes Handlebars.js the primary way to structure your views, also with automatic data binding support.
Ghost Just a blogging platform.
handlebars_assets: A Rails Asset Pipeline gem from Les Hill (@leshill).
handlebars-helpers is an extensive library with 100+ handlebars helpers.
handlebars-layouts is a set of helpers which implement extendible and embeddable layout blocks as seen in other popular templating languages.
hbs: An Express.js view engine adapter for Handlebars.js, from Don Park.
koa-hbs: koa generator based renderer for Handlebars.js.
jblotus created http://tryhandlebarsjs.com for anyone who would like to try out Handlebars.js in their browser.
jQuery plugin: allows you to use Handlebars.js with jQuery.
Lumbar provides easy module-based template management for handlebars projects.
Marionette.Handlebars adds support for Handlebars and Mustache templates to Marionette.
sammy.js by Aaron Quint, a.k.a. quirkey, supports Handlebars.js as one of its template plugins.
SproutCore uses Handlebars.js as its main templating engine, extending it with automatic data binding support.
YUI implements a port of handlebars
Swag by @elving is a growing collection of helpers for handlebars.js. Give your handlebars.js templates some swag son!
DOMBars is a DOM-based templating engine built on the Handlebars parser and runtime DEPRECATED
promised-handlebars is a wrapper for Handlebars that allows helpers to return Promises.
just-handlebars-helpers A fully tested lightweight package with common Handlebars helpers.

External Resources

Gist about Synchronous and asynchronous loading of external handlebars templates

Have a project using Handlebars? Send us a pull request!

License

Handlebars.js is released under the MIT license.

Critical

9.8/10

Summary

Prototype Pollution in handlebars

Affected Versions

< 3.0.8

Patched Versions

3.0.8

Critical

9.8/10

Summary

Prototype Pollution in handlebars

Affected Versions

>= 4.0.0, < 4.3.0

Patched Versions

4.3.0

Critical

9.8/10

Summary

Prototype Pollution in handlebars

Affected Versions

< 4.7.7

Patched Versions

4.7.7

Critical

9.8/10

Summary

Remote code execution in handlebars when compiling templates

Affected Versions

< 4.7.7

Patched Versions

4.7.7

High

7.3/10

Summary

Arbitrary Code Execution in handlebars

Affected Versions

>= 4.0.0, < 4.5.2

Patched Versions

4.5.2

High

7.3/10

Summary

Arbitrary Code Execution in handlebars

Affected Versions

< 3.0.8

Patched Versions

3.0.8

High

8.1/10

Summary

Arbitrary Code Execution in Handlebars

Affected Versions

>= 4.0.0, < 4.5.3

Patched Versions

4.5.3

High

8.1/10

Summary

Arbitrary Code Execution in Handlebars

Affected Versions

< 3.0.8

Patched Versions

3.0.8

High

7.3/10

Summary

Prototype Pollution in handlebars

Affected Versions

< 3.0.7

Patched Versions

3.0.7

High

7.3/10

Summary

Prototype Pollution in handlebars

Affected Versions

>= 4.0.0, < 4.0.14

Patched Versions

4.0.14

High

7.3/10

Summary

Prototype Pollution in handlebars

Affected Versions

>= 4.1.0, < 4.1.2

Patched Versions

4.1.2

High

7.5/10

Summary

Regular Expression Denial of Service in Handlebars

Affected Versions

>= 4.0.0, < 4.4.5

Patched Versions

4.4.5

High

0/10

Summary

Arbitrary Code Execution in handlebars

Affected Versions

>= 4.0.0, < 4.5.3

Patched Versions

4.5.3

High

0/10

Summary

Arbitrary Code Execution in handlebars

Affected Versions

< 3.0.8

Patched Versions

3.0.8

High

0/10

Summary

Prototype Pollution in handlebars

Affected Versions

>= 4.0.0, < 4.5.3

Patched Versions

4.5.3

High

0/10

Summary

Prototype Pollution in handlebars

Affected Versions

< 3.0.8

Patched Versions

3.0.8

Moderate

0/10

Summary

Remote code execution in Handlebars.js

Affected Versions

< 4.1.0

Patched Versions

4.1.0

Moderate

0/10

Summary

Denial of Service in handlebars

Affected Versions

>= 4.0.0, < 4.4.5

Patched Versions

4.4.5

Moderate

6.1/10

Summary

Cross-Site Scripting in handlebars

Affected Versions

< 4.0.0

Patched Versions

4.0.0

Moderate

0/10

Summary

Moderate severity vulnerability that affects handlebars

Affected Versions

< 4.0.0

Patched Versions

4.0.0

10

Security-Policy

Determines if the project has published a security policy.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

3

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

2

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 2

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/handlebars-lang/handlebars.js/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/handlebars-lang/handlebars.js/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/handlebars-lang/handlebars.js/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/handlebars-lang/handlebars.js/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/handlebars-lang/handlebars.js/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/handlebars-lang/handlebars.js/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/handlebars-lang/handlebars.js/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/handlebars-lang/handlebars.js/release.yml/master?enable=pin
Warn: npmCommand not pinned by hash: tests/integration/rollup-test/test.sh:7
Warn: npmCommand not pinned by hash: tests/integration/webpack-babel-test/test.sh:7
Warn: npmCommand not pinned by hash: tests/integration/webpack-test/test.sh:7
Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned
Info: 4 out of 7 npmCommand dependencies pinned

1

Maintained

Determines if the project is "actively maintained".

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

56 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Warn: Project is vulnerable to: GHSA-cwfw-4gq5-mrqx
Warn: Project is vulnerable to: GHSA-g95f-p29q-9xw4
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
Warn: Project is vulnerable to: GHSA-c6rp-wrp9-qr4q
Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5
Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-28xh-wpgr-7fm8
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-x3m3-4wpv-5vgc
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
Warn: Project is vulnerable to: GHSA-cf66-xwfp-gvc4
Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc

Score

4

/10

Last Scanned on 2025-07-07

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

Other packages similar to handlebars

Other packages similar to handlebars

handlebars

Installations

Developer Guide

Yes

CommonJS, UMD

>=0.4.7

18.16.1

9.5.1

Score

Pull Requests

28

576

185

363

Issues

79

1,392

1,313

Releases

Languages

Developer

Download Statistics

GitHub Statistics

Maintainers

Package Meta Information

Total Downloads

NaN

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Dev Dependencies

Optional Dependencies

Handlebars.js

Installing

Usage

Precompiling Templates

Differences Between Handlebars.js and Mustache

Compatibility

Supported Environments

Performance

Upgrading

Known Issues

Handlebars in the Wild

External Resources

License

10

10

10

10

3

2

1

0

0

0

0

0

4

/10