Skip to content

fix: upgrade handlebars to 4.7.9 to resolve critical security vulnerabilities#15

Merged
baseten merged 2 commits into
masterfrom
fix/security-handlebars
Apr 2, 2026
Merged

fix: upgrade handlebars to 4.7.9 to resolve critical security vulnerabilities#15
baseten merged 2 commits into
masterfrom
fix/security-handlebars

Conversation

@baseten

@baseten baseten commented Apr 1, 2026

Copy link
Copy Markdown

Summary

  • Adds an npm overrides entry to force handlebars to ^4.7.9, resolving all known CVEs in the 4.0.0 – 4.7.8 range
  • The vulnerable version was pulled in transitively via conventional-changelog-writer (used by semantic-release)
  • After the fix, npm audit no longer reports any handlebars vulnerabilities

Vulnerabilities fixed

GHSA Severity Title
GHSA-2w6w-674q-4c4q Critical (9.8) JavaScript Injection via AST Type Confusion
GHSA-3mfm-83xf-c92r High (8.1) JavaScript Injection via AST Type Confusion (@partial-block)
GHSA-xjpj-3mr7-gcpf High (8.3) JavaScript Injection in CLI Precompiler
GHSA-xhpv-hc6g-r9c6 High (8.1) JavaScript Injection via AST Type Confusion (dynamic partial)
GHSA-9cx6-37pm-9jff High (7.5) Denial of Service via Malformed Decorator Syntax
GHSA-2qvq-rjwj-gvw9 Moderate (4.7) Prototype Pollution Leading to XSS
GHSA-7rx3-28cr-v5wh Moderate (4.8) Prototype Method Access Control Gap
GHSA-442j-39wm-28r2 Low (3.7) Property Access Validation Bypass

Test plan

  • Verify npm audit reports no handlebars vulnerabilities after checkout
  • Confirm existing CI tests pass

🤖 Generated with Claude Code

@baseten @claude
fix: upgrade handlebars to 4.7.9 via npm override to resolve critical…
e0a52b7 
… CVEs

Add npm overrides to force handlebars to ^4.7.9, resolving 8 CVEs
affecting all 4.0.0-4.7.8 versions (GHSA-2w6w-674q-4c4q critical,
GHSA-3mfm-83xf-c92r high, GHSA-3mfm-83xf-c92r, and others). The
vulnerable version was introduced via the conventional-changelog-writer
transitive dependency.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@baseten baseten requested a review from treycucco April 1, 2026 16:27
@baseten

baseten commented Apr 1, 2026

Copy link
Copy Markdown
Author

@treycucco I added you as reviewer as I wanted to check with you, since dependabot already opened a similar PR here - #14 - but didn't update the overrides. Are they necessary here or is the package lock change enough?

@baseten baseten marked this pull request as ready for review April 1, 2026 16:27
@treycucco

treycucco commented Apr 1, 2026

Copy link
Copy Markdown

Good q. Lots of times the package that depends on the vulnerable package has a range specifier that includes the fix, so you can update package-lock only to the newest version. The nice thing about adding the overrides is it makes sure that we don't ever see the problem again.

Either approach is fine, I personally like to do a package-lock only update when possible, but adding overrides gives us some extra security in the unlikely event that a newer package were to specify the problem package exactly.

treycucco
treycucco approved these changes Apr 1, 2026
View reviewed changes
Comment thread package.json Outdated
"yaml-lint": "^1.7.0"
},
"overrides": {
"handlebars": "^4.7.9"

@treycucco treycucco Apr 1, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer to see a vulnerability range specifier. Specifying the range of vulnerable packages that should update handlebars can protect us against things in the future being downgraded unexpected

@baseten baseten Apr 2, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved in 75014e7

@baseten @claude
fix: add version range specifier to handlebars override
75014e7 
Narrow the handlebars override to the vulnerable range (>=4.0.0 <4.7.9)
so npm only applies the resolution when the affected versions are requested.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@baseten baseten merged commit cab2151 into master Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@treycucco treycucco treycucco approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@baseten @treycucco