From ef7eb5d6ebd7b4edfd30d32f91cb9a11dcefbf73 Mon Sep 17 00:00:00 2001 From: danney-chun <63285271+danney-chun@users.noreply.github.com> Date: Mon, 1 Jun 2026 17:59:07 +0900 Subject: [PATCH] [fix]: bump handlebars to 4.7.9 (SECURE-3011) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2026-33941 / GHSA-xjpj-3mr7-gcpf — handlebars CLI precompiler code injection / XSS vulnerability. handlebars is a transitive devDependency via plop → node-plop, so production bundles are not affected, but we bump for supply-chain hygiene. Forced via yarn resolutions since node-plop pins ^4.4.3. Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 3 ++- yarn.lock | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 54c49e5c9..d4f696b3b 100644 --- a/package.json +++ b/package.json @@ -170,6 +170,7 @@ "svgo@^2.7.0": "^2.8.1", "svgo@^3.0.2": "^3.3.3", "rollup@^4.20.0": "^4.59.0", - "@babel/plugin-transform-modules-systemjs": "^7.29.4" + "@babel/plugin-transform-modules-systemjs": "^7.29.4", + "handlebars@^4.4.3": "^4.7.9" } } diff --git a/yarn.lock b/yarn.lock index 9636afd35..ed8593621 100644 --- a/yarn.lock +++ b/yarn.lock @@ -8183,9 +8183,9 @@ __metadata: languageName: node linkType: hard -"handlebars@npm:^4.4.3": - version: 4.7.8 - resolution: "handlebars@npm:4.7.8" +"handlebars@npm:^4.7.9": + version: 4.7.9 + resolution: "handlebars@npm:4.7.9" dependencies: minimist: ^1.2.5 neo-async: ^2.6.2 @@ -8197,7 +8197,7 @@ __metadata: optional: true bin: handlebars: bin/handlebars - checksum: 00e68bb5c183fd7b8b63322e6234b5ac8fbb960d712cb3f25587d559c2951d9642df83c04a1172c918c41bcfc81bfbd7a7718bbce93b893e0135fc99edea93ff + checksum: ac39070fc1c3c76a654e4b526383eaf1601976eaa474547b263915b4806977f083600e586ca923709baeed7c82a42640bcc9cc04c37a7efd3fb444f49b8347d6 languageName: node linkType: hard