Skip to content

[fix]: bump handlebars to 4.7.9 (SECURE-3011)#1437

Merged
danney-chun merged 1 commit into
mainfrom
fix/SECURE-3011-handlebars-bump
Jun 4, 2026
Merged

[fix]: bump handlebars to 4.7.9 (SECURE-3011)#1437
danney-chun merged 1 commit into
mainfrom
fix/SECURE-3011-handlebars-bump

Conversation

@danney-chun
Copy link
Copy Markdown
Contributor

@danney-chun danney-chun commented Jun 1, 2026
edited by atlassian Bot
Loading

Summary

Fixes SECURE-3011 — bump handlebars from 4.7.8 → 4.7.9 to address CVE-2026-33941 / GHSA-xjpj-3mr7-gcpf.

  • Severity: High
  • Vulnerability: Handlebars CLI precompiler allows code injection / XSS via unescaped template filenames and CLI option values (--namespace, --commonjs, --handlebarPath).
  • Reachability: Conditionally Reachable (per Semgrep SSC).

Impact analysis

  • handlebars is a transitive devDependency via plop@^2.5.3node-plop@0.26.3handlebars@^4.4.3.
  • It is only used by the generate-component script (developer-only component scaffolding) — not bundled into the published package.
  • No runtime / consumer impact. Bumped for supply-chain hygiene.

Approach

  • node-plop still pins handlebars@^4.4.3, so a direct yarn up wouldn't shift the resolution. Added a yarn resolutions entry to force 4.7.9:

    "handlebars@^4.4.3": "^4.7.9"

  • yarn.lock now resolves handlebars@npm:4.7.9.

Test plan

  • yarn install — resolution applied cleanly (handlebars@npm:4.7.9 in yarn.lock)
  • yarn build — exit 0, dist generated (warnings are pre-existing, unrelated to this change)
  • yarn test — 941 passed / 10 skipped / 0 failed across 168 suites

🤖 Generated with Claude Code

@danney-chun @claude
[fix]: bump handlebars to 4.7.9 (SECURE-3011)
ef7eb5d 
CVE-2026-33941 / GHSA-xjpj-3mr7-gcpf — handlebars CLI precompiler
code injection / XSS vulnerability. handlebars is a transitive
devDependency via plop → node-plop, so production bundles are not
affected, but we bump for supply-chain hygiene.

Forced via yarn resolutions since node-plop pins ^4.4.3.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@netlify
Copy link
Copy Markdown

netlify Bot commented Jun 1, 2026
edited
Loading

Deploy Preview for sendbird-uikit-react ready!

Name Link
🔨 Latest commit ef7eb5d
🔍 Latest deploy log https://app.netlify.com/projects/sendbird-uikit-react/deploys/6a1d49f18418c40008724b05
😎 Deploy Preview https://deploy-preview-1437--sendbird-uikit-react.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@danney-chun danney-chun self-assigned this Jun 1, 2026
sf-tyler-jeong
sf-tyler-jeong approved these changes Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sf-tyler-jeong sf-tyler-jeong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@danney-chun danney-chun merged commit 980223b into main Jun 4, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sf-tyler-jeong sf-tyler-jeong sf-tyler-jeong approved these changes

@OnestarLee OnestarLee Awaiting requested review from OnestarLee

Assignees

@danney-chun danney-chun

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danney-chun @sf-tyler-jeong