fix(deps): vuln minor upgrades — 13 packages (minor: 3 · patch: 10)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 13 packages upgraded (MINOR changes included)

Manifests changed:

• . (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
handlebars	4.7.8	4.7.9	patch	Transitive	2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
minimatch	3.1.2	3.1.5	patch	Transitive	6 HIGH
flatted	3.3.3	3.4.2	minor	Transitive	4 HIGH
picomatch	4.0.3	4.0.4	patch	Transitive	2 HIGH, 2 MEDIUM
fast-uri	3.1.0	3.1.2	patch	Transitive	2 HIGH
lodash	4.17.23	4.18.1	minor	Transitive	1 HIGH, 1 MEDIUM
esbuild	0.28.0	0.28.1	patch	Direct	1 HIGH, 1 LOW
brace-expansion	1.1.12	1.1.15	patch	Transitive	2 MEDIUM
yaml	2.8.2	2.8.4	patch	Transitive	2 MEDIUM
js-yaml	4.1.1	4.2.0	minor	Transitive	1 MEDIUM
ip-address	10.1.0	10.1.1	patch	Transitive	1 MEDIUM
tar	7.5.13	7.5.16	patch	Transitive	1 MEDIUM
@babel/core	7.29.0	7.29.7	patch	Transitive	1 LOW

---

Security Details

🚨 Critical & High Severity (26 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
handlebars	CVE-2026-33937	CRITICAL	Handlebars.js has JavaScript Injection via AST Type Confusion	4.7.8	-
handlebars	GHSA-2w6w-674q-4c4q	CRITICAL	Handlebars.js has JavaScript Injection via AST Type Confusion	4.7.8	4.7.9
esbuild	GHSA-gv7w-rqvm-qjhr	HIGH	esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY	0.28.0	0.28.1
fast-uri	GHSA-q3j6-qgpj-74h6	HIGH	fast-uri vulnerable to path traversal via percent-encoded dot segments	3.1.0	3.1.1
fast-uri	GHSA-v39h-62p7-jpjc	HIGH	fast-uri vulnerable to host confusion via percent-encoded authority delimiters	3.1.0	3.1.2
flatted	CVE-2026-32141	HIGH	flatted: Unbounded recursion DoS in parse() revive phase	3.3.3	-
flatted	CVE-2026-33228	HIGH	flatted: Prototype Pollution via parse()	3.3.3	-
flatted	GHSA-rf6f-7fwh-wjgh	HIGH	Prototype Pollution via parse() in NodeJS flatted	3.3.3	3.4.2
flatted	GHSA-25h7-pfq9-p65f	HIGH	flatted vulnerable to unbounded recursion DoS in parse() revive phase	3.3.3	3.4.0
handlebars	GHSA-xjpj-3mr7-gcpf	HIGH	Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options	4.7.8	4.7.9
handlebars	CVE-2026-33940	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial	4.7.8	-
handlebars	GHSA-xhpv-hc6g-r9c6	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial	4.7.8	4.7.9
handlebars	CVE-2026-33941	HIGH	Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options	4.7.8	-
handlebars	GHSA-9cx6-37pm-9jff	HIGH	Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation	4.7.8	4.7.9
handlebars	CVE-2026-33939	HIGH	Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation	4.7.8	-
handlebars	GHSA-3mfm-83xf-c92r	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block	4.7.8	4.7.9
handlebars	CVE-2026-33938	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block	4.7.8	-
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.23	4.18.0
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	-
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	10.2.3
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	-
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	10.2.1
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	10.2.3
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	4.0.3	-
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	4.0.3	4.0.4

ℹ️ Other Vulnerabilities (16)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.12	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.12	-
handlebars	GHSA-7rx3-28cr-v5wh	MODERATE	Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry	4.7.8	4.7.9
handlebars	GHSA-2qvq-rjwj-gvw9	MODERATE	Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection	4.7.8	4.7.9
handlebars	CVE-2026-33916	MODERATE	Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection	4.7.8	-
ip-address	GHSA-v2v4-37r5-5v8g	MODERATE	ip-address has XSS in Address6 HTML-emitting methods	10.1.0	10.1.1
js-yaml	GHSA-h67p-54hq-rp68	MODERATE	JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases	4.1.1	4.2.0
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.23	4.18.0
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	4.0.3	4.0.4
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	4.0.3	-
tar	GHSA-vmf3-w455-68vh	MODERATE	node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)	7.5.13	7.5.16
yaml	GHSA-48c2-rrv3-qjmp	MODERATE	yaml is vulnerable to Stack Overflow via deeply nested YAML collections	2.8.2	2.8.3
yaml	CVE-2026-33532	MODERATE	yaml is vulnerable to Stack Overflow via deeply nested YAML collections	2.8.2	-
@babel/core	GHSA-4x5r-pxfx-6jf8	LOW	@babel/core: Arbitrary File Read via sourceMappingURL Comment	7.29.0	8.0.0-rc.6
esbuild	GHSA-g7r4-m6w7-qqqr	LOW	esbuild allows arbitrary file read when running the development server on Windows	0.28.0	0.28.1
handlebars	GHSA-442j-39wm-28r2	LOW	Handlebars.js has a Property Access Validation Bypass in container.lookup	4.7.8	4.7.9

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-datadog-prod-us1]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

tests | test (24)     

tests | lint     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 4048b96 | Docs | Datadog PR Page | Give us feedback!}

[gh-worker-campaigns-3e9aa4]

Auto-rebase complete

Branch is up to date with main — rebased onto 8f1fdb7.

---

_{Auto-Rebase · Add no-auto-rebase to opt out}