fix: patch handlebars GHSA-2w6w-674q-4c4q (CVSS 9.8) — verify 4.7.9 in lockfile#1501
Draft
fix: patch handlebars GHSA-2w6w-674q-4c4q (CVSS 9.8) — verify 4.7.9 in lockfile#1501
Conversation
4 tasks
Copilot
AI
changed the title
[WIP] Fix critical JavaScript injection vulnerability in handlebars
fix: patch handlebars GHSA-2w6w-674q-4c4q (CVSS 9.8) — verify 4.7.9 in lockfile
Mar 30, 2026
This comment has been minimized.
This comment has been minimized.
Contributor
|
Smoke test matrix:
|
Contributor
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
handlebars@4.7.8(transitive viats-jest) carried a critical JS injection vulnerability (GHSA-2w6w-674q-4c4q, CVSS 9.8) enabling arbitrary code execution via AST type confusion. Affects CI/dev environments only — not shipped in production or container images.Changes
package-lock.json:handlebarsalready resolves to4.7.9(patched); confirmednpm auditreports 0 vulnerabilities across all related GHSAs (GHSA-2w6w-674q-4c4q, GHSA-xjpj-3mr7-gcpf, GHSA-xhpv-hc6g-r9c6, GHSA-9cx6-37pm-9jff, GHSA-3mfm-83xf-c92r)The fix was already present in the dependency tree. This PR closes the security issue formally raised by the Dependency Security Monitor.
🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.