[fix]: bump handlebars to 4.7.9 (SECURE-3011)

danney-chun · claude · danney-chun · commit ef7eb5d6ebd7 · 2026-06-01T17:59:07.000+09:00
CVE-2026-33941 / GHSA-xjpj-3mr7-gcpf — handlebars CLI precompiler code injection / XSS vulnerability. handlebars is a transitive devDependency via plop → node-plop, so production bundles are not affected, but we bump for supply-chain hygiene. Forced via yarn resolutions since node-plop pins ^4.4.3. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/package.json b/package.json
@@ -170,6 +170,7 @@
     "svgo@^2.7.0": "^2.8.1",
     "svgo@^3.0.2": "^3.3.3",
     "rollup@^4.20.0": "^4.59.0",
-    "@babel/plugin-transform-modules-systemjs": "^7.29.4"
+    "@babel/plugin-transform-modules-systemjs": "^7.29.4",
+    "handlebars@^4.4.3": "^4.7.9"
   }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -8183,9 +8183,9 @@ __metadata:
   languageName: node
   linkType: hard
 
-"handlebars@npm:^4.4.3":
-  version: 4.7.8
-  resolution: "handlebars@npm:4.7.8"
+"handlebars@npm:^4.7.9":
+  version: 4.7.9
+  resolution: "handlebars@npm:4.7.9"
   dependencies:
     minimist: ^1.2.5
     neo-async: ^2.6.2
@@ -8197,7 +8197,7 @@ __metadata:
       optional: true
   bin:
     handlebars: bin/handlebars
-  checksum: 00e68bb5c183fd7b8b63322e6234b5ac8fbb960d712cb3f25587d559c2951d9642df83c04a1172c918c41bcfc81bfbd7a7718bbce93b893e0135fc99edea93ff
+  checksum: ac39070fc1c3c76a654e4b526383eaf1601976eaa474547b263915b4806977f083600e586ca923709baeed7c82a42640bcc9cc04c37a7efd3fb444f49b8347d6
   languageName: node
   linkType: hard
 

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,7 @@`
`170`	`170`	`"svgo@^2.7.0": "^2.8.1",`
`171`	`171`	`"svgo@^3.0.2": "^3.3.3",`
`172`	`172`	`"rollup@^4.20.0": "^4.59.0",`
`173`		`- "@babel/plugin-transform-modules-systemjs": "^7.29.4"`
	`173`	`+ "@babel/plugin-transform-modules-systemjs": "^7.29.4",`
	`174`	`+ "handlebars@^4.4.3": "^4.7.9"`
`174`	`175`	`}`
`175`	`176`	`}`