Skip to content

Bump handlebars from 4.7.7 to 4.7.9 #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump handlebars from 4.7.7 to 4.7.9 #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
"dependencies": {
"child_process": "^1.0.2",
"fs-extra": "^9.0.1",
"handlebars": "^4.7.7",
"handlebars": "^4.7.9",
"yargs": "^17.0.1"
},
"scripts": {
Expand Down
24 changes: 21 additions & 3 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@ __metadata:
languageName: node
linkType: hard

"handlebars@npm:*, handlebars@npm:^4.7.7":
"handlebars@npm:*":
Copy link
Copy Markdown

@cursor cursor Bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Vulnerable handlebars 4.7.7 still resolved in lockfile

Medium Severity

The yarn.lock still resolves handlebars@npm:* (from the @types/handlebars transitive dependency) to the old vulnerable version 4.7.7. Previously, both * and ^4.7.7 shared one entry pointing to 4.7.7. After the bump, the entry was split: the direct dependency correctly gets 4.7.9, but the * specifier from @types/handlebars still pins to 4.7.7. This means the vulnerable version is still installed, partially defeating the purpose of this security update. Both specifiers can be satisfied by 4.7.9 and ideally would share a single resolution.

Fix in Cursor Fix in Web

version: 4.7.7
resolution: "handlebars@npm:4.7.7"
dependencies:
Expand All @@ -417,6 +417,24 @@ __metadata:
languageName: node
linkType: hard

"handlebars@npm:^4.7.9":
version: 4.7.9
resolution: "handlebars@npm:4.7.9"
dependencies:
minimist: ^1.2.5
neo-async: ^2.6.2
source-map: ^0.6.1
uglify-js: ^3.1.4
wordwrap: ^1.0.0
dependenciesMeta:
uglify-js:
optional: true
bin:
handlebars: bin/handlebars
checksum: ac39070fc1c3c76a654e4b526383eaf1601976eaa474547b263915b4806977f083600e586ca923709baeed7c82a42640bcc9cc04c37a7efd3fb444f49b8347d6
languageName: node
linkType: hard

"has-symbols@npm:^1.0.3, has-symbols@npm:^1.1.0":
version: 1.1.0
resolution: "has-symbols@npm:1.1.0"
Expand Down Expand Up @@ -499,7 +517,7 @@ __metadata:
languageName: node
linkType: hard

"neo-async@npm:^2.6.0":
"neo-async@npm:^2.6.0, neo-async@npm:^2.6.2":
version: 2.6.2
resolution: "neo-async@npm:2.6.2"
checksum: deac9f8d00eda7b2e5cd1b2549e26e10a0faa70adaa6fdadca701cc55f49ee9018e427f424bac0c790b7c7e2d3068db97f3093f1093975f2acb8f8818b936ed9
Expand All @@ -525,7 +543,7 @@ __metadata:
"@types/yargs": ^15.0.5
child_process: ^1.0.2
fs-extra: ^9.0.1
handlebars: ^4.7.7
handlebars: ^4.7.9
ts-node: ^10.9.1
typescript: ^5.1.6
yargs: ^17.0.1
Expand Down