From 086c4f89c7312e6dddd41de6df3300ac6fab8461 Mon Sep 17 00:00:00 2001 From: jdalton Date: Sun, 29 Mar 2026 00:08:02 -0400 Subject: [PATCH 1/3] fix: upgrade handlebars to 4.7.9 (6 CVEs) Addresses all 6 open Dependabot alerts: - CVE-2026-33937 (critical): JS Injection via AST Type Confusion - CVE-2026-33941 (high): JS Injection in CLI Precompiler - CVE-2026-33940 (high): JS Injection via AST Type Confusion (dynamic partial) - CVE-2026-33939 (high): DoS via Malformed Decorator Syntax - CVE-2026-33938 (high): JS Injection via AST Type Confusion (@partial-block) - CVE-2026-33916 (medium): Prototype Pollution Leading to XSS --- packages/package-builder/package.json | 2 +- pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/package-builder/package.json b/packages/package-builder/package.json index 9f307d573..fd866d087 100644 --- a/packages/package-builder/package.json +++ b/packages/package-builder/package.json @@ -17,7 +17,7 @@ "dependencies": { "@socketsecurity/lib": "catalog:", "build-infra": "workspace:*", - "handlebars": "^4.7.8" + "handlebars": "^4.7.9" }, "engines": { "node": ">=25.5.0" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 8546359c3..8b1cf67d2 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -771,8 +771,8 @@ importers: specifier: workspace:* version: link:../build-infra handlebars: - specifier: ^4.7.8 - version: 4.7.8 + specifier: ^4.7.9 + version: 4.7.9 packages: @@ -2805,8 +2805,8 @@ packages: resolution: {integrity: sha512-rXunEHF9M9EkMydTBux7+IryYXEZinRk6g8OBOGDBzo/qWJjhTxy86i5q7lQYpCLHN8Sqv1XX3OIOc7ka2gtvQ==} engines: {node: '>=8.0.0'} - handlebars@4.7.8: - resolution: {integrity: sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==} + handlebars@4.7.9: + resolution: {integrity: sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==} engines: {node: '>=0.4.7'} hasBin: true @@ -6405,7 +6405,7 @@ snapshots: grad-school@0.0.5: {} - handlebars@4.7.8: + handlebars@4.7.9: dependencies: minimist: 1.2.8 neo-async: 2.6.2 From f09224f7f38084305318f5e93ba4f917a72b5ae8 Mon Sep 17 00:00:00 2001 From: jdalton Date: Sun, 29 Mar 2026 00:13:34 -0400 Subject: [PATCH 2/3] fix: pre-push hook checks commits already on remote For new branches, compare against remote default branch instead of searching for release tags. The tag-based approach included commits already on origin/main, causing false positives for AI attribution. --- .husky/pre-push | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/.husky/pre-push b/.husky/pre-push index f607f954d..9f3155a2d 100755 --- a/.husky/pre-push +++ b/.husky/pre-push @@ -26,15 +26,12 @@ TOTAL_ERRORS=0 while read local_ref local_sha remote_ref remote_sha; do # Get the range of commits being pushed. if [ "$remote_sha" = "0000000000000000000000000000000000000000" ]; then - # New branch - find the latest published release tag to limit scope. - latest_release=$(git tag --list 'v*' --sort=-version:refname --merged "$local_sha" | head -1) - if [ -n "$latest_release" ]; then - # Check commits since the latest published release. - range="$latest_release..$local_sha" - else - # No release tags found - check all commits. - range="$local_sha" + # New branch: only check commits not already on the remote default branch. + default_branch=$(git symbolic-ref "refs/remotes/${remote}/HEAD" 2>/dev/null | sed "s|refs/remotes/${remote}/||") + if [ -z "$default_branch" ]; then + default_branch="main" fi + range="${remote}/${default_branch}..$local_sha" else # Existing branch - check only new commits being pushed. range="$remote_sha..$local_sha" From b95e8f088e7db414caa310cc5e74991133798127 Mon Sep 17 00:00:00 2001 From: jdalton Date: Mon, 30 Mar 2026 11:42:43 -0400 Subject: [PATCH 3/3] fix: add fallback when remote default branch ref is missing in pre-push hook --- .husky/pre-push | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.husky/pre-push b/.husky/pre-push index 9f3155a2d..ad185b85a 100755 --- a/.husky/pre-push +++ b/.husky/pre-push @@ -31,7 +31,13 @@ while read local_ref local_sha remote_ref remote_sha; do if [ -z "$default_branch" ]; then default_branch="main" fi - range="${remote}/${default_branch}..$local_sha" + # Verify the remote ref exists locally before using it in the range. + if git rev-parse --verify "${remote}/${default_branch}" >/dev/null 2>&1; then + range="${remote}/${default_branch}..$local_sha" + else + # Remote ref missing (shallow clone, --single-branch, etc.), check all commits. + range="$local_sha" + fi else # Existing branch - check only new commits being pushed. range="$remote_sha..$local_sha"