Bump the npm_and_yarn group across 4 directories with 3 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /src/ProjectTemplates/Web.Spa.ProjectTemplates/content/Angular-CSharp/ClientApp directory: node-forge.
Bumps the npm_and_yarn group with 1 update in the /src/ProjectTemplates/Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp directory: node-forge.
Bumps the npm_and_yarn group with 1 update in the /src/ProjectTemplates/Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp directory: node-forge.
Bumps the npm_and_yarn group with 1 update in the /src/SignalR/clients/ts/common directory: handlebars.

Removes node-forge

Updates node-forge from 0.9.0 to 1.4.0

Changelog

Sourced from node-forge's changelog.

Forge ChangeLog

1.4.0 - 2026-03-24

Security

• HIGH: Denial of Service in BigInteger.modInverse()
  • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
  • Reported by Kr0emer.
  • CVE ID: CVE-2026-33891
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
  • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
  • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33894
  • GHSA ID: GHSA-ppp5-5v6c-4jwp
• HIGH: Signature forgery in Ed25519 due to missing S < L check.
  • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33895
  • GHSA ID: GHSA-q67f-28xg-22rw
• HIGH: basicConstraints bypass in certificate chain verification.
  • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
  • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch

... (truncated)

Commits

• See full diff in compare view

Updates yaml from 1.9.2 to 1.10.3

Release notes

Sourced from yaml's releases.

v1.10.2

• prettier/prettier#10510

v1.10.1

This release backports the following non-breaking fixes made during the work on yaml@2 on top of yaml@1.10.0:

• Support for __proto__ as mapping key & anchor identifier (#192)
• Fix broken TS type for BigInt toggle
• Dump long keys properly (#195)
• When folding highly indented lines, require at least minContentWidth chars on the first line (#196)
• Fix YAML.stringify() for certain null values (#197)
• Do not break escaped chars with escaped newlines (#237, awslabs/cdk8s8)
• Set type: "module" within browser/dist/ (#208)
• Use CommonJS for the browser endpoints yaml/types & yaml/util (#208)
• Always stringify non-Node object keys using explicit notation (#218)
• Specify node type of Document.Parsed.contents (#221)
• Add missing type for CST Node.rangeAsLinePos (#222)
• Prefer literal over folded block scalar when lineWidth=0 is set (#232)
• Allow for empty lines after node props (#242)
• Update dev dependencies

v1.10.0

This will probably be the last minor release of yaml@1. I'm aiming to release yaml@2 within a few months; prereleases of that will be published using the next dist-tag on npm. Patch releases for 1.10 may still happen, if necessary.

New Features

• Use Rollup for Node.js & browser builds (#165)
  • This removes most of the internal dist/ paths from the release. If you want/need to use a class or function that is no longer public, please file an issue and we can add it to the exports.
  • Drop dependency on @babel/runtime. After this, the package has 0 runtime dependencies. 🎉
  • Add exports { Alias, Collection, Merge, Node } to 'yaml/types'
• Document Schema.createPair() & make its ctx arg optional (#157)
• Always indent top-level scalars with lines starting with document markers or % directives (#162)
• Use double-space when forcing top-level block scalar indent, for clarity (#162)
• Add getNodes(): string[] method to Anchors (#166)
• Refactor Jest config, adding tests for compiled dist/ endpoints
• Rename & refactor source files. This should have no effect on the results, but lots of stuff moved around

Improved Errors & Warnings

• Throw more helpful error when setting Pair.commentBefore incorrectly (#157)
• Better errors for bad indents (#169)
• Drop incorrect error for flow mapping keys with length > 1024 chars
• Add errors for plain scalars that start with reserved indicators
• Add more explicit errors for block scalar values with bad indents
• Enable log prints during npm start debugging

Improved TypeScript declarations

• Fix/simplify export mapping of 'yaml/types' and 'yaml/util'
• Fix types, dropping AST.{AstNode,ScalarNode,CollectionNode} (#160)
• Add missing toString() methods to AST nodes (#159)
• Add directivesEndMarker to Document type (#167)

... (truncated)

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• 4cdcde6 1.10.2
• 7c0e083 Allow for unindented comment after node props (#242)
• 8ef0157 1.10.1
• Additional commits viewable in compare view

Updates node-forge from 0.9.0 to 1.4.0

Changelog

Sourced from node-forge's changelog.

Forge ChangeLog

1.4.0 - 2026-03-24

Security

• HIGH: Denial of Service in BigInteger.modInverse()
  • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
  • Reported by Kr0emer.
  • CVE ID: CVE-2026-33891
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
  • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
  • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33894
  • GHSA ID: GHSA-ppp5-5v6c-4jwp
• HIGH: Signature forgery in Ed25519 due to missing S < L check.
  • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33895
  • GHSA ID: GHSA-q67f-28xg-22rw
• HIGH: basicConstraints bypass in certificate chain verification.
  • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
  • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch

... (truncated)

Commits

• See full diff in compare view

Updates yaml from 1.9.2 to 1.10.3

Release notes

Sourced from yaml's releases.

v1.10.2

• prettier/prettier#10510

v1.10.1

This release backports the following non-breaking fixes made during the work on yaml@2 on top of yaml@1.10.0:

• Support for __proto__ as mapping key & anchor identifier (#192)
• Fix broken TS type for BigInt toggle
• Dump long keys properly (#195)
• When folding highly indented lines, require at least minContentWidth chars on the first line (#196)
• Fix YAML.stringify() for certain null values (#197)
• Do not break escaped chars with escaped newlines (#237, awslabs/cdk8s8)
• Set type: "module" within browser/dist/ (#208)
• Use CommonJS for the browser endpoints yaml/types & yaml/util (#208)
• Always stringify non-Node object keys using explicit notation (#218)
• Specify node type of Document.Parsed.contents (#221)
• Add missing type for CST Node.rangeAsLinePos (#222)
• Prefer literal over folded block scalar when lineWidth=0 is set (#232)
• Allow for empty lines after node props (#242)
• Update dev dependencies

v1.10.0

This will probably be the last minor release of yaml@1. I'm aiming to release yaml@2 within a few months; prereleases of that will be published using the next dist-tag on npm. Patch releases for 1.10 may still happen, if necessary.

New Features

• Use Rollup for Node.js & browser builds (#165)
  • This removes most of the internal dist/ paths from the release. If you want/need to use a class or function that is no longer public, please file an issue and we can add it to the exports.
  • Drop dependency on @babel/runtime. After this, the package has 0 runtime dependencies. 🎉
  • Add exports { Alias, Collection, Merge, Node } to 'yaml/types'
• Document Schema.createPair() & make its ctx arg optional (#157)
• Always indent top-level scalars with lines starting with document markers or % directives (#162)
• Use double-space when forcing top-level block scalar indent, for clarity (#162)
• Add getNodes(): string[] method to Anchors (#166)
• Refactor Jest config, adding tests for compiled dist/ endpoints
• Rename & refactor source files. This should have no effect on the results, but lots of stuff moved around

Improved Errors & Warnings

• Throw more helpful error when setting Pair.commentBefore incorrectly (#157)
• Better errors for bad indents (#169)
• Drop incorrect error for flow mapping keys with length > 1024 chars
• Add errors for plain scalars that start with reserved indicators
• Add more explicit errors for block scalar values with bad indents
• Enable log prints during npm start debugging

Improved TypeScript declarations

• Fix/simplify export mapping of 'yaml/types' and 'yaml/util'
• Fix types, dropping AST.{AstNode,ScalarNode,CollectionNode} (#160)
• Add missing toString() methods to AST nodes (#159)
• Add directivesEndMarker to Document type (#167)

... (truncated)

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• 4cdcde6 1.10.2
• 7c0e083 Allow for unindented comment after node props (#242)
• 8ef0157 1.10.1
• Additional commits viewable in compare view

Updates handlebars from 4.1.2 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

v4.7.8

• Make library compatible with workers (#1894) - 3d3796c
• Don't rely on Node.js global object (#1776) - 2954e7e
• Fix compiling of each block params in strict mode (#1855) - 30dbf04
• Fix rollup warning when importing Handlebars as ESM - 03d387b
• Fix bundler issue with webpack 5 (#1862) - c6c6bbb
• Use https instead of git for mustache submodule - 88ac068

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

v4.7.8 - July 27th, 2023

• Make library compatible with workers (#1894) - 3d3796c
• Don't rely on Node.js global object (#1776) - 2954e7e
• Fix compiling of each block params in strict mode (#1855) - 30dbf04
• Fix rollup warning when importing Handlebars as ESM - 03d387b
• Fix bundler issue with webpack 5 (#1862) - c6c6bbb
• Use https instead of git for mustache submodule - 88ac068

Commits

v4.7.7 - February 15th, 2021

• fix weird error in integration tests - eb860c0
• fix: check prototype property access in strict-mode (#1736) - b6d3de7
• fix: escape property names in compat mode (#1736) - f058970
• refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
• chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

• the changes from version 4.6.0 now also apply in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

v4.7.6 - April 3rd, 2020

Chore/Housekeeping:

• #1672 - Switch cmd parser to latest minimist (@​dougwilson

Compatibility notes:

• Restored Node.js compatibility

... (truncated)

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jaylinski, a new releaser for handlebars since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.