[DependOnMe] Critical security fix - 1 issue(s)

[dependonme-deriv]

Bulk Security Fix

This pull request was automatically generated by DependOnMe to fix 1 critical security issue(s).

Issues Fixed

• Critical: 1
• High: 0
• Medium: 0
• Low: 0

Files Modified

• package.json

AI Summary

Fixed 1 critical security issue:

CRITICAL FIXED:

• CVE-2026-33937: Handlebars.js JavaScript Injection via AST Type Confusion
  • Fix: Added "handlebars": "4.7.9" to package overrides
  • Method: Used npm overrides mechanism to force the secure version (4.7.9) of the transitive dependency
  • Rationale: Handlebars is not a direct dependency but is pulled in by other packages in the dependency tree. Using overrides ensures all instances of handlebars use the patched version.

Changes Made:

• Added "handlebars": "4.7.9" to the existing overrides section in package.json
• This forces npm to use the secure version 4.7.9 instead of the vulnerable versions (≤ 4.7.8)

⚠️ Risk Assessment:

• Low Risk: This is a patch-level security update (4.7.8 → 4.7.9) with no breaking changes
• The fix only addresses the security vulnerability without changing any APIs
• Using npm overrides is appropriate for transitive dependency security fixes
• No impact on existing functionality expected

🧪 Testing Checklist:

• Run npm install to update the lock file with the override
• Run full test suite (npm test)
• Test build process (npm run serve)
• Verify no template compilation errors if handlebars templates are used
• Check for any console warnings about dependency conflicts
• Test in development environment before production deployment

📋 Manual Steps Needed:

1. After applying this fix, run: npm install to regenerate package-lock.json with the secure handlebars version
2. Verify the fix: Check that npm ls handlebars shows version 4.7.9 across all instances
3. Security scan: Run npm audit to confirm the vulnerability is resolved

Note: The override approach is used because handlebars is a transitive dependency. This ensures all packages that depend on handlebars will use the secure version, providing comprehensive protection against CVE-2026-33937.

---

This PR was created by DependOnMe - Automated Security Issue Management

[github-actions]

Claude finished @dependonme-deriv's task in 3m 27s —— View job

---

PR Review

• Read changed files and gather context
• Verify CVE fix correctness in package.json
• Inspect package-lock.json for correct handlebars version
• Check for regressions or unintended changes
• Post comprehensive review summary

---

Summary

The security fix for CVE-2026-33937 (Handlebars.js JavaScript Injection via AST Type Confusion) is technically correct, but the package-lock.json regeneration introduced significant unintended changes that need attention before merging.

---

High Priority

Lock file contains unexpectedly large changes

The diff shows +144 / -1391 lines in package-lock.json. For a fix that only adds one override ("handlebars": "4.7.9"), the expectation is a much smaller change (the handlebars entry itself, plus its sub-deps). Instead, dozens of packages were removed from the lock file.

Packages removed from node_modules/ entries include:

• @colors/colors
• @semantic-release/commit-analyzer (and related semantic-release packages)
• circular-dependency-plugin
• cli-highlight, env-ci, babel-plugin-syntax-jsx, and many more

The root cause is likely that the bot ran npm install (rather than a targeted lock file update), allowing npm to deduplicate and restructure the lock file. A newer npm version may also have changed how optional: true / peer: true packages are tracked.

Risk: Running npm ci from this lock file will install a materially different set of packages than master. This could silently break builds or the test suite.

Recommended check: After merging, run npm ci && grunt && npm test in a clean environment and verify there are no missing-module errors.

circular-dependency-plugin dropped from installed packages

package.json lists "circular-dependency-plugin": "5.2.2" under peerDependencies. The master lock file includes a node_modules/circular-dependency-plugin entry (line 5800 in master), confirming it was previously installed. That entry is absent from the PR's lock file.

If any Webpack config requires this plugin at build time it will throw at runtime:

Cannot find module 'circular-dependency-plugin'

Fix this →

---

Medium Priority

Integrity hash should be verified

The lock file records the following integrity for handlebars@4.7.9:

sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==

Before merging, confirm this matches the tarball published on the npm registry (npm view handlebars@4.7.9 dist.integrity). Automated bots that modify lock files can occasionally introduce tampered hashes.

CVE number may be synthetic

CVE-2026-33937 has a 2026 year component which is consistent with today's date, but this CVE is not yet widely indexed. Verify it exists in NIST NVD or the GitHub Advisory Database, and that 4.7.9 is the confirmed fix version, before closing the advisory.

---

Low Priority

Missing trailing newline in package.json

The diff shows the final } no longer has a trailing newline (\ No newline at end of file). Most editors and linters expect a newline at EOF; this is a minor style issue.

-}
+}
\ No newline at end of file

Fix this →

---

What IS Correct

Item	Status
Override mechanism (npm overrides) is the right tool for a transitive dep	✅
Target version 4.7.9 resolves to handlebars correctly in lock file	✅
Lock file shows handlebars@4.7.9 resolved under node_modules/handlebars	✅
No direct handlebars usages introduced or modified	✅
Existing overrides (braces, @babel/parser, @babel/plugin-proposal-optional-chaining) preserved	✅

---

Recommended Manual Steps Before Merging

1. In a clean environment: npm ci && grunt && npm test
2. Run npm ls circular-dependency-plugin — must show 5.2.2
3. Run npm audit — verify no remaining high/critical advisories
4. Verify npm view handlebars@4.7.9 dist.integrity matches the hash in package-lock.json