Introduce vulnerable dependency for PR demo

[justinnikolic]

Note

Adds handlebars@4.7.6 and refreshes lockfile with related dependency/version updates.

• Dependencies:
  • Add handlebars@4.7.6 to package.json.
• Lockfile updates (package-lock.json):
  • Bump handlebars to 4.7.6 with new deps minimist, neo-async, and wordwrap.
  • Upgrade minimist to 1.2.8; upgrade wordwrap to 1.0.0; add neo-async@2.6.2.
  • Refresh optimist and nested hbs dependency entries and integrity metadata.

^{Written by Cursor Bugbot for commit e02196c. This will update automatically on new commits. Configure here.}

[cursor]

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on January 1

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Bug: Vulnerable handlebars version with known RCE vulnerability

Adding handlebars version 4.7.6 which has known security vulnerabilities including CVE-2021-23369 (Remote Code Execution). Versions before 4.7.7 allow RCE when compiling templates from untrusted sources. The latest non-vulnerable version is 4.7.8. While the PR title indicates this is intentional for demo purposes, this introduces an exploitable security vulnerability into the codebase.

Additional Locations (1)

• package-lock.json#L24-L25