Skip to content

fix(security): bump handlebars to >=4.7.9 (Socket.dev critical CVE)#35

Open
zen-agent wants to merge 1 commit into
mainfrom
zen/socket-fix-handlebars-c7en8e
Open

fix(security): bump handlebars to >=4.7.9 (Socket.dev critical CVE)#35
zen-agent wants to merge 1 commit into
mainfrom
zen/socket-fix-handlebars-c7en8e

Conversation

@zen-agent
Copy link
Copy Markdown

@zen-agent zen-agent commented May 20, 2026
edited
Loading

Description

Patches SOCKET-COMPOSIO-864 (Critical) by adding handlebars: ">=4.7.9" to the existing npm overrides block in src/frontend/package.json.

Socket alert CVE GHSA Severity Patched in
SOCKET-COMPOSIO-864 CVE-2026-33937 GHSA-2w6w-674q-4c4q Critical 4.7.9

handlebars@<4.7.9 has a JavaScript Injection RCE via AST Type Confusion. It is pulled in transitively by ts-jest in the frontend test setup.

How did I test this PR

  • npm install --package-lock-only in src/frontend/ regenerates package-lock.json; node_modules/handlebars -> v4.7.9 (verified).
  • socket scan create . --view --report --org composio (scan id 931179ea-87c6-4c0e-bb89-fa457de1483f) — zero handlebars alerts in the new report.

Origin: cron-f7c85f82906b / zen-cron-6352a6575b74
Triggered by: saransh@composio.dev | Source: Socket.dev Vulnerability Auto-Fix

@zen-agent
fix(security): bump handlebars to >=4.7.9 to patch RCE CVE
c1a24fd 
Patches SOCKET-COMPOSIO-864 / CVE-2026-33937 / GHSA-2w6w-674q-4c4q
(Handlebars.js JavaScript Injection via AST Type Confusion, critical).

`handlebars` is pulled in transitively by `ts-jest` (via the frontend
test setup). Added `handlebars: ">=4.7.9"` to the existing npm
`overrides` block in `src/frontend/package.json` (alongside the
existing tar/glob/test-exclude pins).

Verified with `socket scan create . --view --report --org composio`
(scan 931179ea-87c6-4c0e-bb89-fa457de1483f): zero handlebars alerts.

Origin: cron-f7c85f82906b / zen-cron-6352a6575b74
@zen-agent zen-agent changed the title fix(security): bump handlebars to >=4.7.9 fix(security): bump handlebars to >=4.7.9 (Socket.dev critical CVE) May 20, 2026
@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels May 20, 2026
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

Impacted file tree graph

@@           Coverage Diff           @@
##             main      #35   +/-   ##
=======================================
  Coverage        ?   31.23%           
=======================================
  Files           ?     1332           
  Lines           ?    58095           
  Branches        ?    12152           
=======================================
  Hits            ?    18147           
  Misses          ?    38198           
  Partials        ?     1750
Flag Coverage Δ
frontend 21.59% <ø> (?)
lfx 44.42% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

Frontend Unit Test Coverage Report

Coverage Summary

Lines Statements Branches Functions
Coverage: 24%
 24.17% (8626/35678) 16.93% (4757/28093) 16.91% (1264/7474)

Unit Test Results

Tests Skipped Failures Errors Time
2779 0 💤 0 ❌ 0 🔥 50.334s ⏱️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working community

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zen-agent @codecov-commenter