fix: [handlebars] Upgrade handlebars from 4.0.14 to 4.7.9 (via hbs ^4.2.1) to resolve CVE prototype pollution (SNYK-JS-HANDLEBARS-534988)#46
Open
devin-ai-integration[bot] wants to merge 2 commits into
Conversation
…K-JS-HANDLEBARS-534988) Co-Authored-By: Hannah Huh <hannah.huh@cognition.ai>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
…otype Pollution (SNYK-JS-HANDLEBARS-534988) Co-Authored-By: Hannah Huh <hannah.huh@cognition.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the highest-CVSS finding from the Snyk scan: Prototype Pollution in
handlebars4.0.14 (CVSS 9.8,SNYK-JS-HANDLEBARS-534988), reported on the production pathgoof > hbs > handlebars.handlebarsis pulled in transitively by the direct dependencyhbs. Rather than an npmoverridespin (which the Snyk CLI's npm lockfile parser rejects withSNYK-CLI-0000"out of sync"), this bumps the direct dependencyhbsso its handlebars resolves to a patched release — matching Snyk's own upgrade path.hbs@4.2.1depends onhandlebars@4.7.9, sopackage-lock.jsonnow resolvesnode_modules/handlebarsto 4.7.9 (was 4.0.14). 4.7.9 clears the prototype-pollution fix line (>=4.5.3) and the later handlebars Type Confusion CVEs (>=4.7.9).Verified locally:
snyk testparses the regenerated lockfile and produces SARIF (the prioroverridesapproach broke parsing);node_modules/handlebarsresolves to 4.7.9.9e26acce-22c7-4efc-b470-21d9587f49fe, projectgoof(npm)Note: a separate
handlebars@4.0.11copy bundled under thetap/nyctest toolchain remains and would require a majortapupgrade; tracked as follow-up. One vulnerability per PR; part of a set of 5 fix PRs for the top findings.Link to Devin session: https://app.devin.ai/sessions/d6b18d8e5ad94506b760971485ceb694
Requested by: @hannahhuh-cog
Devin Review