Skip to content

fix(security): bump handlebars to 4.7.9 to clear RCE advisory#8395

Open
qnixsynapse wants to merge 1 commit into
mainfrom
fix/docs-handlebars-rce
Open

fix(security): bump handlebars to 4.7.9 to clear RCE advisory#8395
qnixsynapse wants to merge 1 commit into
mainfrom
fix/docs-handlebars-rce

Conversation

@qnixsynapse

Copy link
Copy Markdown
Contributor

Describe Your Changes

  • handlebars 4.7.8 (transitive via the plop devDependency) is flagged by GHSA for JavaScript injection via AST type confusion in Handlebars.compile(). Not reachable in Jan (docs is a static Nextra site with no runtime Handlebars.compile of untrusted input; plop runs only locally for blog-post scaffolding), but pin the patched version via a yarn resolution to clear the 8 open Dependabot alerts.

Fixes Issues

  • Closes #
  • Closes #

Self Checklist

  • Added relevant comments, esp in complex areas
  • Updated docs (for bug fixes / features)
  • Created issues for follow-up changes or refactoring needed

handlebars 4.7.8 (transitive via the plop devDependency) is flagged by
GHSA for JavaScript injection via AST type confusion in
Handlebars.compile(). Not reachable in Jan (docs is a static Nextra site
with no runtime Handlebars.compile of untrusted input; plop runs only
locally for blog-post scaffolding), but pin the patched version via a
yarn resolution to clear the 8 open Dependabot alerts.
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Preview URL: https://e318646b.docs-9ba.pages.dev

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

1 participant