Handlebars v4.3.1 affected by CVE-2025-48924 - request to upgrade to v4.5.0

[Max5698]

Hello,

I noticed that the latest published version as well as the current pom.xml configuration still references Handlebars v4.3.1, which is affected by CVE-2025-48924.

Would it be possible to upgrade to Handlebars v4.5.0, along with handlebars-jackson

<dependency>
    <groupId>com.github.jknack</groupId>
    <artifactId>handlebars-jackson</artifactId>
    <version>4.5.0</version>
</dependency>

instead of using handlebars-jackson2, to mitigate this vulnerability?

Thanks in advance for looking into this!

[wing328]

handlebars-jackson2 latest version is still v4.3.1. if i'm not mistaken.

filed #21976 but found that latest version v4.5.0 seems only support jdk 17+

we will do the update later when this project drops jdk 11 support.