Skip to content

fix(deps): bump handlebars 4.7.8 → 4.7.9 (CVE-2026-33937)#164

Merged
gyermich merged 1 commit into
mainfrom
fix/CVE-2026-33937-handlebars
Apr 16, 2026
Merged

fix(deps): bump handlebars 4.7.8 → 4.7.9 (CVE-2026-33937)#164
gyermich merged 1 commit into
mainfrom
fix/CVE-2026-33937-handlebars

Conversation

@gyermich

@gyermich gyermich commented Apr 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Security Fix

Bumps `handlebars` from 4.7.8 → 4.7.9 to resolve a critical security vulnerability.

Vulnerability

CVE-2026-33937 — Handlebars.js JavaScript Injection via AST Type Confusion

What changed

handlebars is a transitive dependency pulled in by semantic-releaseconventional-changelog-writer@7.0.1, which specifies handlebars: "^4.7.7". That range already covers 4.7.9 - the lockfile was stale at 4.7.8. Only pnpm-lock.yaml needed updating, no package.json changes are required.

Verified with pnpm why handlebars:

└── handlebars 4.7.9

Copilot AI review requested due to automatic review settings April 16, 2026 20:40
Copilot AI reviewed Apr 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codecov

codecov Bot commented Apr 16, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.13%. Comparing base (da78d4d) to head (fb72396).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #164   +/-   ##
=======================================
  Coverage   80.13%   80.13%           
=======================================
  Files          44       44           
  Lines         589      589           
  Branches      111      111           
=======================================
  Hits          472      472           
  Misses         77       77           
  Partials       40       40

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gyermich
fix(deps): bump handlebars 4.7.8 → 4.7.9 (CVE-2026-33937)
fb72396 
Resolves CVE-2026-33937 (CVSS 9.8 Critical): JavaScript Injection via AST
Type Confusion in Handlebars.js. handlebars was a transitive dependency via
semantic-release → conventional-changelog-writer@7.0.1, which already
specifies ^4.7.7. Updated pnpm-lock.yaml to resolve to 4.7.9.
@gyermich gyermich force-pushed the fix/CVE-2026-33937-handlebars branch from feff350 to fb72396 Compare April 16, 2026 20:48
@gyermich gyermich marked this pull request as draft April 16, 2026 21:18
@gyermich gyermich marked this pull request as ready for review April 16, 2026 21:24
Copilot AI review requested due to automatic review settings April 16, 2026 21:24
Copilot AI reviewed Apr 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gyermich gyermich merged commit 2a0662f into main Apr 16, 2026
12 checks passed
@gyermich gyermich deleted the fix/CVE-2026-33937-handlebars branch April 16, 2026 21:32
@github-actions

github-actions Bot commented Apr 16, 2026

Copy link
Copy Markdown

🎉 This PR is included in version 2.3.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
+1 more reviewer
@NathanFarmer NathanFarmer NathanFarmer approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gyermich @NathanFarmer