Skip to content

fix: [handlebars] Upgrade handlebars from 4.0.14 to 4.7.9 (via hbs ^4.2.1) to resolve CVE prototype pollution (SNYK-JS-HANDLEBARS-534988)#46

Open
devin-ai-integration[bot] wants to merge 2 commits into
mainfrom
devin/1782325338-fix-handlebars-prototype-pollution
Open

fix: [handlebars] Upgrade handlebars from 4.0.14 to 4.7.9 (via hbs ^4.2.1) to resolve CVE prototype pollution (SNYK-JS-HANDLEBARS-534988)#46
devin-ai-integration[bot] wants to merge 2 commits into
mainfrom
devin/1782325338-fix-handlebars-prototype-pollution

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 24, 2026

Copy link
Copy Markdown

Summary

Resolves the highest-CVSS finding from the Snyk scan: Prototype Pollution in handlebars 4.0.14 (CVSS 9.8, SNYK-JS-HANDLEBARS-534988), reported on the production path goof > hbs > handlebars.

handlebars is pulled in transitively by the direct dependency hbs. Rather than an npm overrides pin (which the Snyk CLI's npm lockfile parser rejects with SNYK-CLI-0000 "out of sync"), this bumps the direct dependency hbs so its handlebars resolves to a patched release — matching Snyk's own upgrade path.

-"hbs": "^4.0.4",
+"hbs": "^4.2.1",

hbs@4.2.1 depends on handlebars@4.7.9, so package-lock.json now resolves node_modules/handlebars to 4.7.9 (was 4.0.14). 4.7.9 clears the prototype-pollution fix line (>=4.5.3) and the later handlebars Type Confusion CVEs (>=4.7.9).

Verified locally: snyk test parses the regenerated lockfile and produces SARIF (the prior overrides approach broke parsing); node_modules/handlebars resolves to 4.7.9.

Note: a separate handlebars@4.0.11 copy bundled under the tap/nyc test toolchain remains and would require a major tap upgrade; tracked as follow-up. One vulnerability per PR; part of a set of 5 fix PRs for the top findings.

Link to Devin session: https://app.devin.ai/sessions/d6b18d8e5ad94506b760971485ceb694
Requested by: @hannahhuh-cog


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

…K-JS-HANDLEBARS-534988)

Co-Authored-By: Hannah Huh <hannah.huh@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

…otype Pollution (SNYK-JS-HANDLEBARS-534988)

Co-Authored-By: Hannah Huh <hannah.huh@cognition.ai>
@devin-ai-integration devin-ai-integration Bot changed the title fix: [handlebars] Upgrade handlebars from 4.0.14 to 4.7.9 to resolve SNYK-JS-HANDLEBARS-534988 (Prototype Pollution) fix: [handlebars] Upgrade handlebars from 4.0.14 to 4.7.9 (via hbs ^4.2.1) to resolve CVE prototype pollution (SNYK-JS-HANDLEBARS-534988) Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants