Override transitive dependency version to address security issue

[soumeh01]

Fixes

• https://github.com/Open-CMSIS-Pack/vscode-cmsis-solution/security/dependabot/30
• https://github.com/Open-CMSIS-Pack/vscode-cmsis-solution/security/dependabot/27
• https://github.com/Open-CMSIS-Pack/vscode-cmsis-solution/security/dependabot/29
• https://github.com/Open-CMSIS-Pack/vscode-cmsis-solution/security/dependabot/26
• https://github.com/Open-CMSIS-Pack/vscode-cmsis-solution/security/dependabot/31
• https://github.com/Open-CMSIS-Pack/vscode-cmsis-solution/security/dependabot/21

Checklist

• 🤖 This change is covered by unit tests (if applicable).
• 🤹 Manual testing has been performed (if necessary).
• 🛡️ Security impacts have been considered (if relevant).
• 📖 Documentation updates are complete (if required).
• 🧠 Third-party dependencies and TPIP updated (if required).

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/handlebars	4.7.9	🟢 6.1	Details Check Score Reason Code-Review 🟢 8 Found 13/16 approved changesets -- score normalized to 8 Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package-lock.json

[qltysh]

Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[JonatanAntoni]

This will hard-pin all transitive dependencies to that specific version. Is that intended? Or do we need to be slightly more specific about the conditions we want to force-update?

[soumeh01]

You are right, It needed to be specific
Update handlebars dependency version constraint