From 0936fdafaf2aeb55edd4f5e8fd75297cc2bc4d59 Mon Sep 17 00:00:00 2001
From: Romit <85230081+romitg2@users.noreply.github.com>
Date: Sat, 28 Mar 2026 13:31:18 +0530
Subject: [PATCH 1/5] fix: upgrade handlebars to 4.7.9 to resolve critical
 vulnerability (#28625)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
---
 apps/web/package.json               |  2 +-
 packages/features/auth/package.json |  2 +-
 yarn.lock                           | 28 ++++++++++++++--------------
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/apps/web/package.json b/apps/web/package.json
index e7c254c61f89cb..9d4a5db8a1994d 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -92,7 +92,7 @@
     "classnames": "2.3.2",
     "dompurify": "3.3.1",
     "entities": "4.5.0",
-    "handlebars": "4.7.7",
+    "handlebars": "4.7.9",
     "i18next": "23.2.3",
     "ical.js": "1.5.0",
     "ics": "2.37.0",
diff --git a/packages/features/auth/package.json b/packages/features/auth/package.json
index 7006a4f00d465f..946da58ce350f6 100644
--- a/packages/features/auth/package.json
+++ b/packages/features/auth/package.json
@@ -15,7 +15,7 @@
     "@calcom/ui": "workspace:*",
     "bcryptjs": "2.4.3",
     "dub": "0.59.1",
-    "handlebars": "4.7.7",
+    "handlebars": "4.7.9",
     "jose": "4.15.9",
     "lru-cache": "9.0.3",
     "next-auth": "4.24.13",
diff --git a/yarn.lock b/yarn.lock
index 79f63934b06e83..f1a52c73339c84 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2506,7 +2506,7 @@ __metadata:
     "@calcom/ui": "workspace:*"
     bcryptjs: "npm:2.4.3"
     dub: "npm:0.59.1"
-    handlebars: "npm:4.7.7"
+    handlebars: "npm:4.7.9"
     jose: "npm:4.15.9"
     lru-cache: "npm:9.0.3"
     next-auth: "npm:4.24.13"
@@ -2735,7 +2735,7 @@ __metadata:
   languageName: unknown
   linkType: soft
 
-"@calcom/lib@workspace:*, @calcom/lib@workspace:packages/lib":
+"@calcom/lib@npm:*, @calcom/lib@workspace:*, @calcom/lib@workspace:packages/lib":
   version: 0.0.0-use.local
   resolution: "@calcom/lib@workspace:packages/lib"
   dependencies:
@@ -2780,9 +2780,9 @@ __metadata:
   version: 0.0.0-use.local
   resolution: "@calcom/lyra@workspace:packages/app-store/lyra"
   dependencies:
-    "@calcom/lib": "workspace:*"
-    "@calcom/prisma": "workspace:*"
-    "@calcom/types": "workspace:*"
+    "@calcom/lib": "npm:*"
+    "@calcom/prisma": "npm:*"
+    "@calcom/types": "npm:*"
   languageName: unknown
   linkType: soft
 
@@ -2972,7 +2972,7 @@ __metadata:
   languageName: unknown
   linkType: soft
 
-"@calcom/prisma@workspace:*, @calcom/prisma@workspace:packages/prisma":
+"@calcom/prisma@npm:*, @calcom/prisma@workspace:*, @calcom/prisma@workspace:packages/prisma":
   version: 0.0.0-use.local
   resolution: "@calcom/prisma@workspace:packages/prisma"
   dependencies:
@@ -3212,7 +3212,7 @@ __metadata:
   languageName: unknown
   linkType: soft
 
-"@calcom/types@workspace:*, @calcom/types@workspace:packages/types":
+"@calcom/types@npm:*, @calcom/types@workspace:*, @calcom/types@workspace:packages/types":
   version: 0.0.0-use.local
   resolution: "@calcom/types@workspace:packages/types"
   dependencies:
@@ -3415,7 +3415,7 @@ __metadata:
     env-cmd: "npm:10.1.0"
     glob: "npm:10.4.5"
     google-auth-library: "npm:9.15.0"
-    handlebars: "npm:4.7.7"
+    handlebars: "npm:4.7.9"
     i18next: "npm:23.2.3"
     ical.js: "npm:1.5.0"
     ics: "npm:2.37.0"
@@ -24183,12 +24183,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"handlebars@npm:4.7.7":
-  version: 4.7.7
-  resolution: "handlebars@npm:4.7.7"
+"handlebars@npm:4.7.9":
+  version: 4.7.9
+  resolution: "handlebars@npm:4.7.9"
   dependencies:
     minimist: "npm:^1.2.5"
-    neo-async: "npm:^2.6.0"
+    neo-async: "npm:^2.6.2"
     source-map: "npm:^0.6.1"
     uglify-js: "npm:^3.1.4"
     wordwrap: "npm:^1.0.0"
@@ -24197,7 +24197,7 @@ __metadata:
       optional: true
   bin:
     handlebars: bin/handlebars
-  checksum: 10/617b1e689b7577734abc74564bdb8cdaddf8fd48ce72afdb489f426e9c60a7d6ee2a2707c023720c4059070128243c948bded8f2716e4543378033e3971b85ea
+  checksum: 10/e755433d652e8a15fc02f83d7478e652359e7a4d354c4328818853ed4f8a39d4a09e1d22dad3c7213c5240864a65b3c840970b8b181745575dd957dd258f2b8d
   languageName: node
   linkType: hard
 
@@ -29987,7 +29987,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"neo-async@npm:^2.6.0, neo-async@npm:^2.6.2":
+"neo-async@npm:^2.6.2":
   version: 2.6.2
   resolution: "neo-async@npm:2.6.2"
   checksum: 10/1a7948fea86f2b33ec766bc899c88796a51ba76a4afc9026764aedc6e7cde692a09067031e4a1bf6db4f978ccd99e7f5b6c03fe47ad9865c3d4f99050d67e002

From a42b51051ecf842b2d1d412da3043158a102c00f Mon Sep 17 00:00:00 2001
From: dhruveshmishra <dhruveshmishra09@gmail.com>
Date: Sat, 28 Mar 2026 14:18:11 +0530
Subject: [PATCH 2/5] fix: improve German translation for reschedule button
 #28607 (#28624)

* fix: improve German translation for reschedule button

* fix: use accurate German translation for reschedule button

Change "Neuen Termin buchen" (Book new appointment) to "Neu terminieren"
(Re-schedule) to align with the English "Reschedule" meaning.

---------

Co-authored-by: Romit <romitgabani1.work@gmail.com>
---
 packages/i18n/locales/de/common.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/i18n/locales/de/common.json b/packages/i18n/locales/de/common.json
index 777365bdba1089..546f5ac4f08a29 100644
--- a/packages/i18n/locales/de/common.json
+++ b/packages/i18n/locales/de/common.json
@@ -773,7 +773,7 @@
   "attendee_phone_number": "Telefonnummer",
   "organizer_phone_number": "Telefonnummer des Organisators",
   "enter_phone_number": "Telefonnummer eingeben",
-  "reschedule": "Neuplanen",
+  "reschedule": "Neu terminieren",
   "reschedule_this": "Stattdessen verschieben",
   "book_a_team_member": "Teammitglied stattdessen buchen",
   "or": "ODER",

From 56099f0107b9f537e279da62d255d18c197993fa Mon Sep 17 00:00:00 2001
From: Romit <85230081+romitg2@users.noreply.github.com>
Date: Sat, 28 Mar 2026 14:18:49 +0530
Subject: [PATCH 3/5] fix: add missing vi.mock() calls to parseFrontmatter test
 to prevent vitest worker shutdown flakiness (#28626)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
---
 .../apps/[slug]/__tests__/parseFrontmatter.test.ts   | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/apps/web/lib/apps/[slug]/__tests__/parseFrontmatter.test.ts b/apps/web/lib/apps/[slug]/__tests__/parseFrontmatter.test.ts
index 9848533e3bf4b7..0a5a0de5ca03f7 100644
--- a/apps/web/lib/apps/[slug]/__tests__/parseFrontmatter.test.ts
+++ b/apps/web/lib/apps/[slug]/__tests__/parseFrontmatter.test.ts
@@ -1,4 +1,14 @@
-import { describe, expect, it } from "vitest";
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("@calcom/prisma", () => ({
+  default: {},
+  prisma: {},
+}));
+
+vi.mock("@calcom/app-store/_appRegistry", () => ({
+  getAppWithMetadata: vi.fn(),
+}));
+
 import { parseFrontmatter } from "../getStaticProps";
 
 describe("parseFrontmatter", () => {

From d6852783b47411ab7016626767c0fc31d32a4782 Mon Sep 17 00:00:00 2001
From: "Yadong (Adam)" <zhyd007@gmail.com>
Date: Sat, 28 Mar 2026 16:49:58 +0800
Subject: [PATCH 4/5] fix(apps/web): update `digitClassName` in
 `VerifyCodeDialog` for improved dark mode styling (#28623)

---
 apps/web/modules/bookings/components/VerifyCodeDialog.tsx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/web/modules/bookings/components/VerifyCodeDialog.tsx b/apps/web/modules/bookings/components/VerifyCodeDialog.tsx
index cc7bddac843bca..d1792795d4384a 100644
--- a/apps/web/modules/bookings/components/VerifyCodeDialog.tsx
+++ b/apps/web/modules/bookings/components/VerifyCodeDialog.tsx
@@ -82,7 +82,8 @@ export const VerifyCodeDialog = ({
 
   useEffect(() => setValue(""), [isOpenDialog]);
 
-  const digitClassName = "h-12 w-12 text-xl! text-center";
+  const digitClassName =
+    "h-12 w-12 text-center text-xl! text-emphasis caret-emphasis [-webkit-text-fill-color:currentColor]";
 
   return (
     <Dialog

From d80493f201a72afe0d94a19953a5483052bac137 Mon Sep 17 00:00:00 2001
From: Romit <85230081+romitg2@users.noreply.github.com>
Date: Sat, 28 Mar 2026 14:52:01 +0530
Subject: [PATCH 5/5] fix: resolve flaky API v2 slots-2024-04-15 E2E tests
 (#28589)

- Add await to unawaited bookingSeatsRepositoryFixture.create calls
- Clean up leftover selected slots before seated event tests

The flakiness was caused by two issues:
1. Missing await on bookingSeatsRepositoryFixture.create() - the HTTP
   request to fetch slots could execute before the booking seat record
   was written to the database, leading to incorrect seat counts.
2. Leftover SelectedSlots records leaking between test groups - the
   availability calculation fetches all unexpired reserved slots by
   userId (not eventTypeId), so reserved slots from earlier tests
   appeared as busy times when computing slots for seated event types.

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
---
 .../controllers/slots.controller.e2e-spec.ts              | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/apps/api/v2/src/modules/slots/slots-2024-04-15/controllers/slots.controller.e2e-spec.ts b/apps/api/v2/src/modules/slots/slots-2024-04-15/controllers/slots.controller.e2e-spec.ts
index 3a7283f9828dd7..236cfc8beb56ca 100644
--- a/apps/api/v2/src/modules/slots/slots-2024-04-15/controllers/slots.controller.e2e-spec.ts
+++ b/apps/api/v2/src/modules/slots/slots-2024-04-15/controllers/slots.controller.e2e-spec.ts
@@ -513,6 +513,8 @@ describe("Slots 2024-04-15 Endpoints", () => {
     });
 
     it("should do a booking for seated event and slot should show attendees count and bookingUid", async () => {
+      await selectedSlotRepositoryFixture.deleteAllByUserId(user.id);
+
       const startTime = "2050-09-05T11:00:00.000Z";
       const booking = await bookingsRepositoryFixture.create({
         uid: `booking-uid-seated-${seatedEventTypeId}-${randomString()}`,
@@ -548,7 +550,7 @@ describe("Slots 2024-04-15 Endpoints", () => {
         },
       });
 
-      bookingSeatsRepositoryFixture.create({
+      await bookingSeatsRepositoryFixture.create({
         referenceUid: `seat-${randomString()}`,
         data: {},
         booking: {
@@ -596,6 +598,8 @@ describe("Slots 2024-04-15 Endpoints", () => {
     });
 
     it("should do a booking for seated event and slot should show attendees count and bookingUid in range format", async () => {
+      await selectedSlotRepositoryFixture.deleteAllByUserId(user.id);
+
       const startTime = "2050-09-05T11:00:00.000Z";
       const booking = await bookingsRepositoryFixture.create({
         uid: `booking-uid-seated-${seatedEventTypeId}-${randomString()}`,
@@ -631,7 +635,7 @@ describe("Slots 2024-04-15 Endpoints", () => {
         },
       });
 
-      bookingSeatsRepositoryFixture.create({
+      await bookingSeatsRepositoryFixture.create({
         referenceUid: `seat-${randomString()}`,
         data: {},
         booking: {