Skip to content

chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9#143

Open
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/handlebars-4.7.9
Open

chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9#143
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/handlebars-4.7.9

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 27, 2026
edited by cubic-dev-ai Bot
Loading

Bumps handlebars from 4.7.8 to 4.7.9.

Release notes

Sourced from handlebars's releases.

v4.7.9

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

  • fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
  • fix type "RuntimeOptions" also accepting string partials - eab1d14
  • feat(types): set hash to be a Record<string, any> - de4414d
  • fix non-contiguous program indices - 4512766
  • refactor: rename i to startPartIndex - e497a35
  • security: fix security issues - 68d8df5

Commits

Commits
  • dce542c v4.7.9
  • 8a41389 Update release notes
  • 68d8df5 Fix security issues
  • b2a0831 Fix browser tests
  • 9f98c16 Fix release script
  • 45443b4 Revert "Improve partial indenting performance"
  • 8841a5f Fix CI errors with linting
  • e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
  • e914d60 Improve rendering performance
  • 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Update dev dependency handlebars to 4.7.9 to pick up upstream security fixes and minor bug fixes. No runtime changes; this only affects build tooling.

  • Dependencies
    • Bumped handlebars from 4.7.8 to 4.7.9 in apps/extensions (lockfile updated).

Written for commit a5bd0b9. Summary will update on new commits.

@dependabot
chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9
a5bd0b9 
Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.8 to 4.7.9.
- [Release notes](https://github.com/handlebars-lang/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9)

---
updated-dependencies:
- dependency-name: handlebars
  dependency-version: 4.7.9
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 27, 2026
@cla-assistant
Copy link
Copy Markdown

cla-assistant Bot commented Mar 27, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@cla-assistant
Copy link
Copy Markdown

cla-assistant Bot commented Mar 27, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Mar 27, 2026

Greptile Summary

This is an automated Dependabot security patch that bumps handlebars from 4.7.8 to 4.7.9 in apps/extensions as a dev dependency. The 4.7.9 release addresses 8 security advisories and a Windows EINVAL spawn issue. The package.json is correctly updated alongside the lock file, satisfying the project's automated-dependency-update policy.

  • The lock file also picks up transitive updates: semver@7.7.4, lodash@4.17.23, esquery@1.7.0, minimatch@9.0.9, and type-definition bumps.
  • Several packages now show new deprecation notices in the lock file (e.g. git-raw-commits, glob@10.x, tar@6/7, whatwg-encoding, scmp), but these are pre-existing transitive dependencies unrelated to this PR.
  • Notably, next@14.2.33 is now flagged in the lock file with a security vulnerability notice. While a pre-existing issue outside the scope of this PR, it warrants a separate follow-up dependency upgrade.

Confidence Score: 4/5

Safe to merge; this is a clean security patch with correct package.json and lock file updates, though a follow-up Next.js security upgrade is recommended.

The PR correctly bumps handlebars from 4.7.8 to 4.7.9 addressing 8 security advisories, the package.json is explicitly updated (satisfying the automated-PR policy), and the only concern is a pre-existing Next.js security notice surfaced incidentally in the lock file — not introduced by this change.

pnpm-lock.yaml — contains a newly surfaced deprecation/security notice for next@14.2.33 that warrants a follow-up PR.

Important Files Changed

Filename Overview
apps/extensions/package.json Bumps handlebars dev dependency from ^4.7.8 to ^4.7.9, addressing 8 security advisories
pnpm-lock.yaml Lock file updated with handlebars 4.7.9, plus transitive bumps (semver 7.7.4, lodash 4.17.23, esquery 1.7.0, minimatch 9.0.9) and newly flagged deprecation/security notices on next@14.2.33 and several other packages

Reviews (1): Last reviewed commit: "chore(deps-dev): bump handlebars from 4...." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Mar 27, 2026
View reviewed changes
Comment thread pnpm-lock.yaml
Comment on lines 14387 to 14388
next@14.2.33:
resolution: {integrity: sha512-GiKHLsD00t4ACm1p00VgrI0rUFAC9cRDGReKyERlM57aeEZkOQGcZTpIbsGn0b562FTPJWmYfKwplfO9EaT6ng==}
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 next@14.2.33 flagged with security vulnerability

This lock file update exposes a newly added deprecated notice on next@14.2.33:

deprecated: This version has a security vulnerability. Please upgrade to a patched version.
See https://nextjs.org/blog/security-update-2025-12-11 for more details.

While this is a pre-existing issue outside the scope of this PR, it is now surfaced here and should be addressed in a follow-up dependency upgrade. Consider raising a separate Dependabot PR (or manual bump) to move Next.js to a patched version.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 27, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants