From e0a52b77f3f581276245b2f8710d5e63144a38b9 Mon Sep 17 00:00:00 2001
From: Alex Prokop <alex.prokop@close.com>
Date: Wed, 1 Apr 2026 15:57:41 +0100
Subject: [PATCH 1/2] fix: upgrade handlebars to 4.7.9 via npm override to
 resolve critical CVEs

Add npm overrides to force handlebars to ^4.7.9, resolving 8 CVEs
affecting all 4.0.0-4.7.8 versions (GHSA-2w6w-674q-4c4q critical,
GHSA-3mfm-83xf-c92r high, GHSA-3mfm-83xf-c92r, and others). The
vulnerable version was introduced via the conventional-changelog-writer
transitive dependency.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package-lock.json | 7 ++++---
 package.json      | 3 +++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 4f9b4be..44e9f0e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5012,10 +5012,11 @@
       "dev": true
     },
     "node_modules/handlebars": {
-      "version": "4.7.8",
-      "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz",
-      "integrity": "sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==",
+      "version": "4.7.9",
+      "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.7.9.tgz",
+      "integrity": "sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
         "minimist": "^1.2.5",
         "neo-async": "^2.6.2",
diff --git a/package.json b/package.json
index 7ab60ea..9cfe04c 100644
--- a/package.json
+++ b/package.json
@@ -51,6 +51,9 @@
     "typescript": "^4.7.4",
     "yaml-lint": "^1.7.0"
   },
+  "overrides": {
+    "handlebars": "^4.7.9"
+  },
   "lint-staged": {
     "**/*.ts": [
       "npm run style:base --",

From 75014e7b293470dc9b1c6069b3ddc4d8f59ec664 Mon Sep 17 00:00:00 2001
From: Alex Prokop <alex.prokop@close.com>
Date: Thu, 2 Apr 2026 11:00:36 +0100
Subject: [PATCH 2/2] fix: add version range specifier to handlebars override

Narrow the handlebars override to the vulnerable range (>=4.0.0 <4.7.9)
so npm only applies the resolution when the affected versions are requested.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 9cfe04c..a0f31ed 100644
--- a/package.json
+++ b/package.json
@@ -52,7 +52,7 @@
     "yaml-lint": "^1.7.0"
   },
   "overrides": {
-    "handlebars": "^4.7.9"
+    "handlebars@>=4.0.0 <4.7.9": "^4.7.9"
   },
   "lint-staged": {
     "**/*.ts": [