Dependabot alerts for wrong version?

I have a repository that use Handlebars. It is currently using version 4.7.7 as I can see it in the code and package.json file.
The Dependabot alerts still alert me to upgrade handlebars to version 4.7.7 or later.


critical severity

Vulnerable versions: < 4.7.7

Patched version: 4.7.7

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

The file location is at

And package.json

Is this Dependabot bug or what I have to do? because I’m already using the latest version of Handlebars