Fix critical vulnerabilities from daily dependency scan (#21402)

geropl · ona-agent · web-flow · commit 3d124ef857ee · 2026-04-17T09:42:56.000+02:00
* Fix CVE-2026-33937: resolve handlebars to 4.7.9 grpc_tools_node_protoc_ts pins handlebars 4.7.7 and has no fixed release. Use yarn resolutions to force 4.7.9 which patches the JavaScript injection via AST type confusion vulnerability. Co-authored-by: Ona <no-reply@ona.com> * Fix protobufjs arbitrary code execution: bump to 7.5.5 Lockfile-only change. Both @grpc/proto-loader (^7.2.5) and ts-proto (^7.2.4) already accept 7.5.5 via semver, so no package.json or resolution changes needed. Co-authored-by: Ona <no-reply@ona.com> --------- Co-authored-by: Ona <no-reply@ona.com>
diff --git a/package.json b/package.json
@@ -34,6 +34,7 @@
         "loader-utils": "^2.0.4",
         "exec-sh": "^0.4.0",
         "pbkdf2": "^3.1.3",
-        "tough-cookie": "^4.1.3"
+        "tough-cookie": "^4.1.3",
+        "handlebars": "4.7.9"
     }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -8626,22 +8626,10 @@ handle-thing@^2.0.0:
   resolved "https://registry.npmjs.org/handle-thing/-/handle-thing-2.0.1.tgz"
   integrity sha512-9Qn4yBxelxoh2Ow62nP+Ka/kMnOXRi8BXnRaUwezLNhqelnN49xKz4F/dPP8OYLxLxq6JDtZb2i9XznUQbNPTg==
 
-handlebars@4.7.7:
-  version "4.7.7"
-  resolved "https://registry.npmjs.org/handlebars/-/handlebars-4.7.7.tgz"
-  integrity sha512-aAcXm5OAfE/8IXkcZvCepKU3VzW1/39Fb5ZuqMtgI/hT8X2YgoMvBY5dLhq/cpOvw7Lk1nK/UF71aLG/ZnVYRA==
-  dependencies:
-    minimist "^1.2.5"
-    neo-async "^2.6.0"
-    source-map "^0.6.1"
-    wordwrap "^1.0.0"
-  optionalDependencies:
-    uglify-js "^3.1.4"
-
-handlebars@^4.7.7:
-  version "4.7.8"
-  resolved "https://registry.yarnpkg.com/handlebars/-/handlebars-4.7.8.tgz#41c42c18b1be2365439188c77c6afae71c0cd9e9"
-  integrity sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==
+handlebars@4.7.7, handlebars@^4.7.7:
+  version "4.7.9"
+  resolved "https://registry.npmjs.org/handlebars/-/handlebars-4.7.9.tgz"
+  integrity sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==
   dependencies:
     minimist "^1.2.5"
     neo-async "^2.6.2"
@@ -13035,9 +13023,9 @@ property-information@^6.0.0:
   integrity sha512-PgTgs/BlvHxOu8QuEN7wi5A0OmXaBcHpmCSTehcs6Uuu9IkDIEo13Hy7n898RHfrQ49vKCoGeWZSaAK01nwVig==
 
 protobufjs@^7.2.4, protobufjs@^7.2.5:
-  version "7.4.0"
-  resolved "https://registry.yarnpkg.com/protobufjs/-/protobufjs-7.4.0.tgz#7efe324ce9b3b61c82aae5de810d287bc08a248a"
-  integrity sha512-mRUWCc3KUU4w1jU8sGxICXH/gNS94DvI1gxqDvBzhj1JpcsimQkYiOJfwsPUykUI5ZaspFbSgmBLER8IrQ3tqw==
+  version "7.5.5"
+  resolved "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.5.tgz"
+  integrity sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==
   dependencies:
     "@protobufjs/aspromise" "^1.1.2"
     "@protobufjs/base64" "^1.1.2"

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@`
`34`	`34`	`"loader-utils": "^2.0.4",`
`35`	`35`	`"exec-sh": "^0.4.0",`
`36`	`36`	`"pbkdf2": "^3.1.3",`
`37`		`- "tough-cookie": "^4.1.3"`
	`37`	`+ "tough-cookie": "^4.1.3",`
	`38`	`+ "handlebars": "4.7.9"`
`38`	`39`	`}`
`39`	`40`	`}`