Skip to content

fix: upgrade handlebars to 4.7.9, fix pre-push hook#1134

Merged
jdalton merged 4 commits intomainfrom
fix/upgrade-handlebars-4.7.9
Mar 30, 2026
Merged

fix: upgrade handlebars to 4.7.9, fix pre-push hook#1134
jdalton merged 4 commits intomainfrom
fix/upgrade-handlebars-4.7.9

Conversation

@jdalton
Copy link
Copy Markdown
Contributor

@jdalton jdalton commented Mar 29, 2026
edited by cursor bot
Loading

Summary

  • Upgrades handlebars from 4.7.8 to 4.7.9, resolving all 6 open Dependabot alerts (1 critical, 4 high, 1 medium)
  • Fixes pre-push hook false positives on new branches by comparing against origin/main instead of release tags

Dependabot alerts resolved

Test plan

  • pnpm run check passes
  • Pre-push hook correctly validates only new commits on branch push

Note

Medium Risk
Moderate risk because it changes the mandatory pre-push enforcement range selection, which could block/allow pushes incorrectly if the remote default branch detection or shallow-clone fallback misbehaves; the dependency bump is low risk and security-motivated.

Overview
Improves mandatory pre-push validation on new branches by switching the commit range baseline from “latest v* release tag” to the remote’s default branch (falling back to main), with a guard/fallback when the remote ref isn’t available locally.

Upgrades handlebars to 4.7.9 for packages/package-builder, updating pnpm-lock.yaml accordingly.

Written by Cursor Bugbot for commit b95e8f0. Configure here.

jdalton added 2 commits March 29, 2026 00:08
@jdalton
fix: upgrade handlebars to 4.7.9 (6 CVEs)
086c4f8 
Addresses all 6 open Dependabot alerts:
- CVE-2026-33937 (critical): JS Injection via AST Type Confusion
- CVE-2026-33941 (high): JS Injection in CLI Precompiler
- CVE-2026-33940 (high): JS Injection via AST Type Confusion (dynamic partial)
- CVE-2026-33939 (high): DoS via Malformed Decorator Syntax
- CVE-2026-33938 (high): JS Injection via AST Type Confusion (@partial-block)
- CVE-2026-33916 (medium): Prototype Pollution Leading to XSS
@jdalton
fix: pre-push hook checks commits already on remote
f09224f 
For new branches, compare against remote default branch instead of
searching for release tags. The tag-based approach included commits
already on origin/main, causing false positives for AI attribution.
@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 29, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​handlebars@​4.7.8 ⏵ 4.7.999 +1100 +75100 +191100

View full report

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Mar 29, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​handlebars@​4.7.8 ⏵ 4.7.999 +1100 +75100 +191 +6100

View full report

cursor[bot]
cursor bot reviewed Mar 29, 2026
View reviewed changes
@jdalton
Copy link
Copy Markdown
Contributor Author

jdalton commented Mar 30, 2026

@cursor review

cursor[bot]
cursor bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

@jdalton jdalton merged commit dd8ac74 into main Mar 30, 2026
14 checks passed
@jdalton jdalton deleted the fix/upgrade-handlebars-4.7.9 branch March 30, 2026 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@divmain divmain divmain approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdalton @divmain