Add handlebars dependency version 4.7.6 #1566
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
package.json
Outdated
| "test": "snyk test" | ||
| }, | ||
| "dependencies": { | ||
| "handlebars": "4.7.6", |
There was a problem hiding this comment.
Bug: Vulnerable handlebars version with critical RCE vulnerability
The handlebars version 4.7.6 being added has a known critical security vulnerability (CVE-2021-23369, CVSS 9.8). This version is vulnerable to Remote Code Execution when compiling templates from untrusted sources. The vulnerability was fixed in version 4.7.7, with 4.7.8 being the latest secure version. Even for a vulnerable demo application, the explicit choice of an outdated vulnerable version deserves review confirmation.
Downgrade handlebars dependency from 4.7.6 to 4.7.4.
| "test": "snyk test" | ||
| }, | ||
| "dependencies": { | ||
| "handlebars": "4.7.4", |
There was a problem hiding this comment.
Bug: Wrong handlebars version added: 4.7.4 instead of 4.7.6
The PR title states the intent to add handlebars version 4.7.6, but the code actually adds version 4.7.4. This version mismatch could mean missing security fixes or features that exist in 4.7.6 but not in 4.7.4, and creates a discrepancy between documentation and implementation.
1 participant
Note
Add
[email protected]topackage.jsondependencies.Written by Cursor Bugbot for commit 1106b55. This will update automatically on new commits. Configure here.