Bump handlebars from 4.7.7 to 4.7.9#28
Conversation
Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.7 to 4.7.9. - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.7...v4.7.9) --- updated-dependencies: - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
PR SummaryLow Risk Overview This is primarily a dependency/lockfile bump intended to pick up upstream fixes (including security patches) with no application code changes. Written by Cursor Bugbot for commit efe52d5. This will update automatically on new commits. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Vulnerable handlebars 4.7.7 still resolved in lockfile
- Regenerated lockfile resolution so both
handlebars@*andhandlebars@^4.7.9now resolve to 4.7.9, removing the vulnerable 4.7.7 entry.
- Regenerated lockfile resolution so both
Or push these changes by commenting:
@cursor push 94b16809b4
Preview (94b16809b4)
diff --git a/yarn.lock b/yarn.lock
--- a/yarn.lock
+++ b/yarn.lock
@@ -399,25 +399,7 @@
languageName: node
linkType: hard
-"handlebars@npm:*":
- version: 4.7.7
- resolution: "handlebars@npm:4.7.7"
- dependencies:
- minimist: ^1.2.5
- neo-async: ^2.6.0
- source-map: ^0.6.1
- uglify-js: ^3.1.4
- wordwrap: ^1.0.0
- dependenciesMeta:
- uglify-js:
- optional: true
- bin:
- handlebars: bin/handlebars
- checksum: 1e79a43f5e18d15742977cb987923eab3e2a8f44f2d9d340982bcb69e1735ed049226e534d7c1074eaddaf37e4fb4f471a8adb71cddd5bc8cf3f894241df5cee
- languageName: node
- linkType: hard
-
-"handlebars@npm:^4.7.9":
+"handlebars@npm:*, handlebars@npm:^4.7.9":
version: 4.7.9
resolution: "handlebars@npm:4.7.9"
dependencies:
@@ -517,7 +499,7 @@
languageName: node
linkType: hard
-"neo-async@npm:^2.6.0, neo-async@npm:^2.6.2":
+"neo-async@npm:^2.6.2":
version: 2.6.2
resolution: "neo-async@npm:2.6.2"
checksum: deac9f8d00eda7b2e5cd1b2549e26e10a0faa70adaa6fdadca701cc55f49ee9018e427f424bac0c790b7c7e2d3068db97f3093f1093975f2acb8f8818b936ed9You can send follow-ups to this agent here.
| linkType: hard | ||
|
|
||
| "handlebars@npm:*, handlebars@npm:^4.7.7": | ||
| "handlebars@npm:*": |
There was a problem hiding this comment.
Vulnerable handlebars 4.7.7 still resolved in lockfile
Medium Severity
The yarn.lock still resolves handlebars@npm:* (from the @types/handlebars transitive dependency) to the old vulnerable version 4.7.7. Previously, both * and ^4.7.7 shared one entry pointing to 4.7.7. After the bump, the entry was split: the direct dependency correctly gets 4.7.9, but the * specifier from @types/handlebars still pins to 4.7.7. This means the vulnerable version is still installed, partially defeating the purpose of this security update. Both specifiers can be satisfied by 4.7.9 and ideally would share a single resolution.
Bumps handlebars from 4.7.7 to 4.7.9.
Release notes
Sourced from handlebars's releases.
Changelog
Sourced from handlebars's changelog.
Commits
dce542cv4.7.98a41389Update release notes68d8df5Fix security issuesb2a0831Fix browser tests9f98c16Fix release script45443b4Revert "Improve partial indenting performance"8841a5fFix CI errors with lintinge0137c2fix: enable shell mode for spawn to resolve Windows EINVAL issuee914d60Improve rendering performance7de4b41Upgrade GitHub Actions checkout and setup-node on 4.x branchMaintainer changes
This version was pushed to npm by jaylinski, a new releaser for handlebars since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.