build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 in /packages/vibecode-cli in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /packages/vibecode-cli directory: handlebars.

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

PR Analysis 📊

Changed Files Summary:

• JavaScript/TypeScript files: 0
• Test files: 0
• Documentation files: 0
• Configuration files: 0

CI Status: Running automated checks...

[github-actions]

Dependency Audit Results

# npm audit report

@hono/node-server  <1.19.10
Severity: high
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - https://github.com/advisories/GHSA-wc8c-qw6v-h7f6
fix available via `npm audit fix --force`
Will install prisma@7.6.0, which is outside the stated dependency range
node_modules/@hono/node-server
  @prisma/dev  <=0.22.0
  Depends on vulnerable versions of @hono/node-server
  node_modules/@prisma/dev
    prisma  6.13.0-dev.1 - 7.6.0-integration-feat-prisma-bootstrap.13
    Depends on vulnerable versions of @prisma/config
    Depends on vulnerable versions of @prisma/dev
    node_modules/prisma

basic-ftp  <5.2.0
Severity: critical
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method - https://github.com/advisories/GHSA-5rq4-664w-9x2c
fix available via `npm audit fix`
node_modules/basic-ftp

brace-expansion  <=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint-plugin-import/node_modules/brace-expansion
node_modules/eslint-plugin-jsx-a11y/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion
node_modules/test-exclude/node_modules/brace-expansion

dompurify  <=3.3.1
Severity: moderate
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization  - https://github.com/advisories/GHSA-h8r8-wccr-v5f2
DOMPurify contains a Cross-site Scripting vulnerability - https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
fix available via `npm audit fix --force`
Will install monaco-editor@0.53.0, which is a breaking change
node_modules/dompurify
  monaco-editor  >=0.54.0-dev-20250909
  Depends on vulnerable versions of dompurify
  node_modules/monaco-editor

effect  <3.20.0
Severity: high
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC - https://github.com/advisories/GHSA-38f7-945m-qr2g
fix available via `npm audit fix --force`
Will install prisma@7.6.0, which is outside the stated dependency range
node_modules/effect
  @prisma/config  6.13.0-dev.1 - 7.6.0-integration-feat-prisma-bootstrap.13
  Depends on vulnerable versions of effect
  node_modules/@prisma/config

express-rate-limit  8.2.0 - 8.2.1
Severity: high
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network - https://github.com/advisories/GHSA-46wh-pxpv-q5gq
fix available via `npm audit fix`
node_modules/express-rate-limit

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: high
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) - https://github.com/advisories/GHSA-8gc5-j5rx-235r
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.8
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

hono  <=4.12.6
Severity: high
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo - https://github.com/advisories/GHSA-xh87-mx6m-69f3
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() - https://github.com/advisories/GHSA-5pq2-9x2x-5p6w
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() - https://github.com/advisories/GHSA-p6xx-57qc-3wxr
Hono vulnerable to arbitrary file access via serveStatic vulnerability  - https://github.com/advisories/GHSA-q5qw-h33p-qvwr
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) - https://github.com/advisories/GHSA-v8w9-8mx6-g223
fix available via `npm audit fix`
node_modules/hono

next  16.0.0-beta.0 - 16.1.6
Severity: moderate
Next.js: HTTP request smuggling in rewrites - https://github.com/advisories/GHSA-ggv3-7p47-pfv8
Next.js: Unbounded next/image disk cache growth can exhaust storage - https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
Next.js: Unbounded postponed resume buffering can lead to DoS - https://github.com/advisories/GHSA-h27x-g6w4-24gq
Next.js: null origin can bypass Server Actions CSRF checks - https://github.com/advisories/GHSA-mq59-m269-xvcx
Next.js: null origin can bypass dev HMR websocket CSRF checks - https://github.com/advisories/GHSA-jcc7-9wpm-mj36
fix available via `npm audit fix --force`
Will install next@16.2.1, which is outside the stated dependency range
node_modules/next

path-to-regexp  8.0.0 - 8.3.0
Severity: high
path-to-regexp vulnerable to Denial of Service via sequential optional groups - https://github.com/advisories/GHSA-j3q9-mxjg-w52f
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards - https://github.com/advisories/GHSA-27v5-c462-wpq7
fix available via `npm audit fix`
node_modules/router/node_modules/path-to-regexp

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/jest-util/node_modules/picomatch
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch

serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install terser-webpack-plugin@5.4.0, which is outside the stated dependency range
node_modules/serialize-javascript
  terser-webpack-plugin  <=5.3.16
  Depends on vulnerable versions of serialize-javascript
  node_modules/terser-webpack-plugin

simple-git  3.15.0 - 3.32.2
Severity: critical
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE - https://github.com/advisories/GHSA-r275-fr43-pm7q
fix available via `npm audit fix --force`
Will install @datadog/datadog-ci@5.10.0, which is outside the stated dependency range
node_modules/simple-git
  @datadog/datadog-ci-base  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-base
    @datadog/datadog-ci  3.21.1 - 5.9.0
    Depends on vulnerable versions of @datadog/datadog-ci-base
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-coverage
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-deployment
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-dora
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-sarif
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-sbom
    node_modules/@datadog/datadog-ci
  @datadog/datadog-ci-plugin-coverage  5.3.0 - 5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-coverage
  @datadog/datadog-ci-plugin-deployment  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-deployment
  @datadog/datadog-ci-plugin-dora  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-dora
  @datadog/datadog-ci-plugin-sarif  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sarif
  @datadog/datadog-ci-plugin-sbom  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sbom

socket.io-parser  4.0.0 - 4.2.5
Severity: high
socket.io allows an unbounded number of binary attachments - https://github.com/advisories/GHSA-677m-j7p3-52f9
fix available via `npm audit fix`
node_modules/socket.io-parser

undici  7.0.0 - 7.23.0
Severity: high
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - https://github.com/advisories/GHSA-phc3-fgpg-7m6h
fix available via `npm audit fix`
node_modules/undici

yaml  1.0.0 - 1.10.2 || 2.0.0 - 2.8.2
Severity: moderate
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
fix available via `npm audit fix`
node_modules/cosmiconfig/node_modules/yaml
node_modules/yaml

30 vulnerabilities (1 low, 5 moderate, 15 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

Quick Checks Results

Check	Status
ESLint	✅
TypeScript	✅

✅ All quick checks passed!

[github-actions]

Build Status ✅ Build successful

✅ Build completed successfully!

[github-actions]

🔒 Security Audit Results

✅ Secret Scanning: No secrets detected
⚠️ Environment Config: Missing variables
❌ NPM Audit: Critical/High vulnerabilities
✅ Secret Patterns: None detected

---

📊 View full results: Security Audit Summary
⏱️ Duration: < 2 minutes

[github-actions]

Test Results ✅ Passed

Test Suites: 57 failed, 5 skipped, 488 passed, 545 of 550 total
Tests: 380 failed, 104 skipped, 30 todo, 10665 passed, 11179 total

✅ All tests passed! Ready for review.

View test output

Check the Actions tab for detailed test output.

[github-actions]

PR Status Summary

Check	Status
Quick Checks	✅ Passed
Tests	✅ Passed
Build	✅ Passed

✅ All checks passed! This PR is ready to merge. 🎉