Skip to content

#190 address dependabot alerts for Handlebars.js in serverless#200

Merged
jayhill merged 1 commit intomainfrom
copilot/address-dependabot-alerts-handlebars-js
Mar 29, 2026
Merged

#190 address dependabot alerts for Handlebars.js in serverless#200
jayhill merged 1 commit intomainfrom
copilot/address-dependabot-alerts-handlebars-js

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 29, 2026

This PR addresses the open Dependabot alert on transitive handlebars in the serverless workspace. The vulnerable resolution was pinned by upstream semver ranges, so the workspace now explicitly overrides to a patched release.

  • Scope

    • serverless workspace only (no frontend/shared/runtime logic changes).

  • Dependency remediation

    • Added an npm overrides entry in serverless/package.json to force handlebars to a patched line.
    • Keeps the fix targeted to the vulnerable transitive package without changing top-level dependency declarations.

  • Lockfile update

    • Regenerated serverless/package-lock.json to apply the override.
    • node_modules/handlebars now resolves to 4.7.9 (from 4.7.8).
{
  "overrides": {
    "flatted": "^3.4.2",
    "handlebars": "^4.7.9",
    "rimraf": { "glob": "^10.5.0" }
  }
}

@jayhill jayhill marked this pull request as ready for review March 29, 2026 14:10
@jayhill jayhill merged commit d57d5dc into main Mar 29, 2026
8 checks passed
@jayhill jayhill deleted the copilot/address-dependabot-alerts-handlebars-js branch March 29, 2026 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jayhill jayhill

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jayhill