Context
PR #562 added 5 handlebars advisory entries to the audit allowlist (1 critical, 4 high). All are dev-only via ts-jest@29.4.5 -> handlebars@4.7.8. Not in published packages.
Current state
- Allowlist entries expire 2026-05-30
- handlebars is only used by ts-jest for internal template compilation
- No user-supplied templates are processed
- Production audit shows zero handlebars vulnerabilities
Remediation options
- Wait for handlebars 4.8.0+ with fixes
- Wait for ts-jest to drop handlebars dependency
- Evaluate replacing ts-jest with vitest-native TypeScript support (vitest already handles all test execution)
- Pin handlebars override to a patched version if available
Acceptance criteria
- pnpm audit shows zero handlebars advisories
- Audit allowlist entries for handlebars can be removed
- No test infrastructure regression
Context
PR #562 added 5 handlebars advisory entries to the audit allowlist (1 critical, 4 high). All are dev-only via
ts-jest@29.4.5 -> handlebars@4.7.8. Not in published packages.Current state
Remediation options
Acceptance criteria