fix: upgrade handlebars to 4.7.9, fix pre-push hook#1134
fix: upgrade handlebars to 4.7.9, fix pre-push hook#1134
Conversation
Addresses all 6 open Dependabot alerts: - CVE-2026-33937 (critical): JS Injection via AST Type Confusion - CVE-2026-33941 (high): JS Injection in CLI Precompiler - CVE-2026-33940 (high): JS Injection via AST Type Confusion (dynamic partial) - CVE-2026-33939 (high): DoS via Malformed Decorator Syntax - CVE-2026-33938 (high): JS Injection via AST Type Confusion (@partial-block) - CVE-2026-33916 (medium): Prototype Pollution Leading to XSS
For new branches, compare against remote default branch instead of searching for release tags. The tag-based approach included commits already on origin/main, causing false positives for AI attribution.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| if [ -z "$default_branch" ]; then | ||
| default_branch="main" | ||
| fi | ||
| range="${remote}/${default_branch}..$local_sha" |
There was a problem hiding this comment.
New branch push fails if remote default branch ref missing
Low Severity
When pushing a new branch, range is set to ${remote}/${default_branch}..$local_sha}, but if the tracking ref (e.g. origin/main) doesn't exist locally, git rev-list on line 49 fails and set -e kills the script with a cryptic error, blocking the push entirely. This can happen with --single-branch clones, shallow clones, or manually-added remotes that haven't fetched the default branch. The old code had a safe fallback (range="$local_sha") when no tags were found; the new code has no equivalent fallback when the remote branch ref is missing.
Additional Locations (1)
1 participant
Summary
origin/maininstead of release tagsDependabot alerts resolved
Test plan
pnpm run checkpassesNote
Medium Risk
Updates a security-sensitive templating dependency and changes the pre-push commit-range logic; low code complexity, but regressions could either miss validations or block valid pushes.
Overview
Fixes the
.husky/pre-pushhook behavior on new branch pushes by deriving the remote default branch (fallbackmain) and validating only commits not already on that branch, instead of scanning from the latest release tag.Upgrades
handlebarsinpackages/package-builder(and lockfile) from4.7.8to4.7.9to pull in security fixes.Written by Cursor Bugbot for commit f09224f. Configure here.