Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump handlebars from 4.7.8 to 4.7.9

Closed
Number: #16
Type: Pull Request
State: Closed
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 1
Created: March 27, 2026 at 02:27 AM UTC
(3 months ago)
Updated: April 15, 2026 at 10:11 PM UTC
(2 months ago)
Closed: April 15, 2026 at 10:11 PM UTC
(2 months ago)
Time to Close: 20 days
Labels:
dependencies javascript
Description:

Bumps handlebars from 4.7.8 to 4.7.9.

Release notes

Sourced from handlebars's releases.

v4.7.9

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

  • fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
  • fix type "RuntimeOptions" also accepting string partials - eab1d14
  • feat(types): set hash to be a Record<string, any> - de4414d
  • fix non-contiguous program indices - 4512766
  • refactor: rename i to startPartIndex - e497a35
  • security: fix security issues - 68d8df5

Commits

Commits
  • dce542c v4.7.9
  • 8a41389 Update release notes
  • 68d8df5 Fix security issues
  • b2a0831 Fix browser tests
  • 9f98c16 Fix release script
  • 45443b4 Revert "Improve partial indenting performance"
  • 8841a5f Fix CI errors with linting
  • e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
  • e914d60 Improve rendering performance
  • 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.
Package Dependencies
Package:
handlebars
Ecosystem:
npm
Version Change:
4.7.8 → 4.7.9
Update Type:
Patch
Security Advisories
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
GHSA-7rx3-28cr-v5wh MODERATE
## Summary The prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric...
Handlebars.js has a Property Access Validation Bypass in container.lookup
GHSA-442j-39wm-28r2 LOW
## Summary In `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated...
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
GHSA-xjpj-3mr7-gcpf CVE-2026-33941 HIGH
## Summary The Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScrip...
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
GHSA-xhpv-hc6g-r9c6 CVE-2026-33940 HIGH
## Summary A crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then tr...
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
GHSA-9cx6-37pm-9jff CVE-2026-33939 HIGH
## Summary When a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns ...
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
GHSA-3mfm-83xf-c92r CVE-2026-33938 HIGH
## Summary The `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper...
Handlebars.js has JavaScript Injection via AST Type Confusion
GHSA-2w6w-674q-4c4q CVE-2026-33937 CRITICAL
## Summary `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScrip...
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
GHSA-2qvq-rjwj-gvw9 CVE-2026-33916 MODERATE
## Summary `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.pr...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 15330343
UUID: 4148659109
Node ID: PR_kwDOOoT8ys7N6o9v
Host: GitHub
Repository: SecureLayer/setup-python