fix(deps): vuln minor: dompurify, webpack · patch: handlebars [ui]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

• ui (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
handlebars	4.7.8	4.7.9	patch	Direct	2 CRITICAL, 8 HIGH, 3 MODERATE, 1 LOW
dompurify	3.2.6	3.4.2	minor	Direct	11 MODERATE
webpack	5.94.0	5.106.2	minor	Direct	4 LOW

---

Security Details

🚨 Critical & High Severity (10 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
handlebars	CVE-2026-33937	CRITICAL	Handlebars.js has JavaScript Injection via AST Type Confusion	4.7.8	-
handlebars	GHSA-2w6w-674q-4c4q	CRITICAL	Handlebars.js has JavaScript Injection via AST Type Confusion	4.7.8	4.7.9
handlebars	GHSA-xjpj-3mr7-gcpf	HIGH	Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options	4.7.8	4.7.9
handlebars	CVE-2026-33939	HIGH	Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation	4.7.8	-
handlebars	GHSA-9cx6-37pm-9jff	HIGH	Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation	4.7.8	4.7.9
handlebars	CVE-2026-33938	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block	4.7.8	-
handlebars	GHSA-3mfm-83xf-c92r	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block	4.7.8	4.7.9
handlebars	CVE-2026-33940	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial	4.7.8	-
handlebars	GHSA-xhpv-hc6g-r9c6	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial	4.7.8	4.7.9
handlebars	CVE-2026-33941	HIGH	Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options	4.7.8	-

ℹ️ Other Vulnerabilities (19)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
dompurify	GHSA-v2wj-7wpq-c8vv	MODERATE	DOMPurify contains a Cross-site Scripting vulnerability	3.2.6	3.3.2
dompurify	GHSA-39q2-94rc-95cp	MODERATE	DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation	3.2.6	3.4.0
dompurify	GHSA-cj63-jhhr-wcxv	MODERATE	DOMPurify USE_PROFILES prototype pollution allows event handlers	3.2.6	3.3.2
dompurify	GHSA-cjmm-f4jc-qw8r	MODERATE	DOMPurify ADD_ATTR predicate skips URI validation	3.2.6	3.3.2
dompurify	GHSA-v8jm-5vwx-cfxm	MODERATE	DOMPurify contains a Cross-site Scripting vulnerability	3.2.6	3.2.7
dompurify	CVE-2025-15599	MODERATE	-	3.2.6	-
dompurify	GHSA-crv5-9vww-q3g8	MODERATE	DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode	3.2.6	3.4.0
dompurify	GHSA-v9jr-rg53-9pgp	MODERATE	DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback	3.2.6	3.4.0
dompurify	CVE-2026-0540	MODERATE	-	3.2.6	-
dompurify	GHSA-h8r8-wccr-v5f2	MODERATE	DOMPurify is vulnerable to mutation-XSS via Re-Contextualization	3.2.6	3.3.2
dompurify	GHSA-h7mw-gpvr-xq4m	MODERATE	DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)	3.2.6	3.4.0
handlebars	CVE-2026-33916	MODERATE	Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection	4.7.8	-
handlebars	GHSA-2qvq-rjwj-gvw9	MODERATE	Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection	4.7.8	4.7.9
handlebars	GHSA-7rx3-28cr-v5wh	MODERATE	Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry	4.7.8	4.7.9
handlebars	GHSA-442j-39wm-28r2	LOW	Handlebars.js has a Property Access Validation Bypass in container.lookup	4.7.8	4.7.9
webpack	GHSA-38r7-794h-5758	LOW	webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence	5.94.0	5.104.0
webpack	CVE-2025-68458	LOW	webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior	5.94.0	-
webpack	GHSA-8fgc-7cc6-rx7x	LOW	webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior	5.94.0	5.104.1
webpack	CVE-2025-68157	LOW	webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects	5.94.0	-

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System