fix: update handlebars to resolve CVE-2026-33937

[dannyneira]

Summary

• Adds a pnpm/package-manager override for transitive handlebars to force 4.7.9.
• Updates pnpm-lock.yaml so ts-jest resolves handlebars@4.7.9 instead of 4.7.8.
• Resolves the selected grouped handlebars Dependabot alerts:
  • https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/12
  • https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/13
  • https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/15
  • https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/16
  • https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/10
  • https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/17
  • https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/18

Vulnerability details

• Package: handlebars
• Ecosystem: npm / pnpm
• Dependency relationship: transitive development dependency via ts-jest
• Vulnerable version: 4.7.8
• Patched version: 4.7.9
• Advisories:
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-442j-39wm-28r2
  • GHSA-7rx3-28cr-v5wh

Verification

• pnpm install --frozen-lockfile
• pnpm why handlebars shows only handlebars@4.7.9
• pnpm audit --json reports no handlebars advisories remaining
• pnpm lint
• pnpm build
• pnpm test

Note: pnpm audit still reports unrelated advisories for ajv, brace-expansion, diff, flatted, minimatch, and picomatch; this PR only targets the selected grouped handlebars alerts.

Conversation: https://staging.warp.dev/conversation/864d183d-4feb-4516-abb6-71b7afef83f0
Run: https://oz.staging.warp.dev/runs/019e7ec3-80f0-7400-9dff-fd0cda5df33b
This PR was generated with Oz.