fix: force handlebars core to 4.5.2 to resolve path traversal CVE

[curfew-marathon]

Summary

Resolves Dependabot alert #11: com.github.jknack:handlebars < 4.5.2 is vulnerable to a path traversal attack via FileTemplateLoader / ClassPathTemplateLoader (GHSA-r4gv-qr8j-p3pg).

Root cause

handlebars 4.3.1 is not a direct dependency — it is pulled in transitively by org.wiremock:wiremock:3.13.2, which is a test-only dependency. The vulnerability was patched in handlebars 4.5.2, but WireMock's 3.x stable line has not backported the fix. Only the WireMock 4.x beta line (4.0.0-beta.37+) ships handlebars 4.5.2.

Fix

Force com.github.jknack:handlebars to 4.5.2 in testRuntimeClasspath via Gradle's resolution strategy:

configurations.testRuntimeClasspath {
    resolutionStrategy.force 'com.github.jknack:handlebars:4.5.2'
}

Why only the core jar?

An initial attempt forced both handlebars and handlebars-helpers to 4.5.2. This caused 33 test failures at runtime:

java.lang.NoClassDefFoundError: com/github/jknack/handlebars/helper/NumberHelper

Between 4.3.1 and 4.5.2, NumberHelper moved from com.github.jknack.handlebars.helper to com.github.jknack.handlebars.helper.ext. WireMock 3.x was compiled against the old package, so forcing handlebars-helpers to 4.5.2 breaks WireMock at runtime. The path traversal CVE is in the core handlebars jar only, so forcing just that jar is sufficient to resolve the alert.

Practical risk

Low. The path traversal only affects applications that pass user-controlled input to FileTemplateLoader.compile(). WireMock uses handlebars internally for stub response templating with test-authored templates — there is no user-controlled input involved. However, the fix is low-risk and clears the Dependabot alert.

Test plan

• All 335 existing unit tests pass with handlebars forced to 4.5.2
• Confirmed failures when handlebars-helpers is also forced (reverted)
• Dependency tree shows handlebars:4.3.1 -> 4.5.2 after the force

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Warning

Review limit reached

@curfew-marathon, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 27 minutes and 13 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bd25142e-ea3d-4a2d-a641-106a6856d8fb

📥 Commits

Reviewing files that changed from the base of the PR and between 272a257 and 004855c.

📒 Files selected for processing (1)

• build.gradle

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/force-handlebars-452

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.69%. Comparing base (272a257) to head (004855c).

❌ Your project status has failed because the head coverage (38.69%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #353      +/-   ##
============================================
+ Coverage     38.68%   38.69%   +0.01%     
- Complexity     1288     1289       +1     
============================================
  Files           198      198              
  Lines          7704     7704              
  Branches        900      900              
============================================
+ Hits           2980     2981       +1     
  Misses         4576     4576              
+ Partials        148      147       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Copilot wasn't able to review any files in this pull request.