fix(deps): vuln minor upgrades — 7 packages (minor: 1 · patch: 6) [src/demo-reset-service]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 7 packages upgraded (MINOR changes included)

Manifests changed:

• src/demo-reset-service (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
handlebars	4.7.8	4.7.9	patch	Transitive	2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
fast-xml-parser	5.4.1	5.8.0	minor	Transitive	2 HIGH, 3 MEDIUM
picomatch	2.3.1	2.3.2	patch	Transitive	2 HIGH, 2 MEDIUM
fast-uri	3.1.0	3.1.2	patch	Transitive	2 HIGH
fast-xml-builder	1.1.2	1.1.9	patch	Transitive	1 HIGH
brace-expansion	5.0.3	5.0.6	patch	Transitive	3 MEDIUM
yaml	1.10.2	1.10.3	patch	Transitive	2 MEDIUM

---

Security Details

🚨 Critical & High Severity (17 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
handlebars	GHSA-2w6w-674q-4c4q	CRITICAL	Handlebars.js has JavaScript Injection via AST Type Confusion	4.7.8	4.7.9
handlebars	CVE-2026-33937	CRITICAL	Handlebars.js has JavaScript Injection via AST Type Confusion	4.7.8	-
fast-uri	GHSA-q3j6-qgpj-74h6	HIGH	fast-uri vulnerable to path traversal via percent-encoded dot segments	3.1.0	3.1.1
fast-uri	GHSA-v39h-62p7-jpjc	HIGH	fast-uri vulnerable to host confusion via percent-encoded authority delimiters	3.1.0	3.1.2
fast-xml-builder	GHSA-5wm8-gmm8-39j9	HIGH	fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes	1.1.2	1.1.7
fast-xml-parser	GHSA-8gc5-j5rx-235r	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	5.4.1	5.5.6
fast-xml-parser	CVE-2026-33036	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	5.4.1	-
handlebars	CVE-2026-33940	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial	4.7.8	-
handlebars	GHSA-xhpv-hc6g-r9c6	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial	4.7.8	4.7.9
handlebars	GHSA-9cx6-37pm-9jff	HIGH	Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation	4.7.8	4.7.9
handlebars	GHSA-xjpj-3mr7-gcpf	HIGH	Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options	4.7.8	4.7.9
handlebars	CVE-2026-33941	HIGH	Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options	4.7.8	-
handlebars	CVE-2026-33939	HIGH	Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation	4.7.8	-
handlebars	GHSA-3mfm-83xf-c92r	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block	4.7.8	4.7.9
handlebars	CVE-2026-33938	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block	4.7.8	-
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	4.0.4
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	-

ℹ️ Other Vulnerabilities (14)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
brace-expansion	GHSA-jxxr-4gwj-5jf2	MODERATE	brace-expansion: Large numeric range defeats documented max DoS protection	5.0.3	5.0.6
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	5.0.3	-
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	5.0.3	5.0.5
fast-xml-parser	GHSA-gh4j-gqv2-49f6	MODERATE	fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters	5.4.1	5.7.0
fast-xml-parser	CVE-2026-33349	MODERATE	fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation	5.4.1	-
fast-xml-parser	GHSA-jp2q-39xq-3w4g	MODERATE	Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser	5.4.1	4.5.5
handlebars	GHSA-2qvq-rjwj-gvw9	MODERATE	Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection	4.7.8	4.7.9
handlebars	GHSA-7rx3-28cr-v5wh	MODERATE	Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry	4.7.8	4.7.9
handlebars	CVE-2026-33916	MODERATE	Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection	4.7.8	-
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	4.0.4
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	-
yaml	GHSA-48c2-rrv3-qjmp	MODERATE	yaml is vulnerable to Stack Overflow via deeply nested YAML collections	1.10.2	2.8.3
yaml	CVE-2026-33532	MODERATE	yaml is vulnerable to Stack Overflow via deeply nested YAML collections	1.10.2	-
handlebars	GHSA-442j-39wm-28r2	LOW	Handlebars.js has a Property Access Validation Bypass in container.lookup	4.7.8	4.7.9

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

• ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-06-16T12:30:25Z
• ✅ CI tests passed - 2026-06-16T12:30:28Z
• ✅ Approved (commit: 1481e37) - 2026-06-16T12:30:31Z
• ✅ Merge Started
• ✅ Merged - 2026-06-16T12:30:41Z

➡️ Current phase: PR merged successfully! ✅

[dd-prapprover]

This PR has been automatically approved by the DD PR Approver bot.