fix: upgrade handlebars to 4.7.9, fix pre-push hook (#1134)

jdalton · web-flow · commit dd8ac74ef4d9 · 2026-03-30T11:59:57.000-04:00
* fix: upgrade handlebars to 4.7.9 (6 CVEs) Addresses all 6 open Dependabot alerts: - CVE-2026-33937 (critical): JS Injection via AST Type Confusion - CVE-2026-33941 (high): JS Injection in CLI Precompiler - CVE-2026-33940 (high): JS Injection via AST Type Confusion (dynamic partial) - CVE-2026-33939 (high): DoS via Malformed Decorator Syntax - CVE-2026-33938 (high): JS Injection via AST Type Confusion (@partial-block) - CVE-2026-33916 (medium): Prototype Pollution Leading to XSS * fix: pre-push hook checks commits already on remote For new branches, compare against remote default branch instead of searching for release tags. The tag-based approach included commits already on origin/main, causing false positives for AI attribution. * fix: add fallback when remote default branch ref is missing in pre-push hook
diff --git a/.husky/pre-push b/.husky/pre-push
@@ -26,13 +26,16 @@ TOTAL_ERRORS=0
 while read local_ref local_sha remote_ref remote_sha; do
   # Get the range of commits being pushed.
   if [ "$remote_sha" = "0000000000000000000000000000000000000000" ]; then
-    # New branch - find the latest published release tag to limit scope.
-    latest_release=$(git tag --list 'v*' --sort=-version:refname --merged "$local_sha" | head -1)
-    if [ -n "$latest_release" ]; then
-      # Check commits since the latest published release.
-      range="$latest_release..$local_sha"
+    # New branch: only check commits not already on the remote default branch.
+    default_branch=$(git symbolic-ref "refs/remotes/${remote}/HEAD" 2>/dev/null | sed "s|refs/remotes/${remote}/||")
+    if [ -z "$default_branch" ]; then
+      default_branch="main"
+    fi
+    # Verify the remote ref exists locally before using it in the range.
+    if git rev-parse --verify "${remote}/${default_branch}" >/dev/null 2>&1; then
+      range="${remote}/${default_branch}..$local_sha"
     else
-      # No release tags found - check all commits.
+      # Remote ref missing (shallow clone, --single-branch, etc.), check all commits.
       range="$local_sha"
     fi
   else
diff --git a/packages/package-builder/package.json b/packages/package-builder/package.json
@@ -17,7 +17,7 @@
   "dependencies": {
     "@socketsecurity/lib": "catalog:",
     "build-infra": "workspace:*",
-    "handlebars": "^4.7.8"
+    "handlebars": "^4.7.9"
   },
   "engines": {
     "node": ">=25.5.0"
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
