fix(deps): bump lodash to ^4.18.1 (CVE-2026-4800)#4019
Conversation
e1d6ed1 to
cf05407
Compare
|
@jasongrout, the failed CI here is likely unrelated to this upgrade. Could you (or another maintainer) please re-trigger it and help me getting this merged? Thank you in advance! |
|
Thanks for doing this!
We are not using this method here. I guess it's fair to say we're not impacted by this vulnerability then? (I'm more or less asking if I should make it my top priority to help getting this merged and released.) |
Since That said, many users rely on the automated security scanning, and keeping the dependencies on patched versions helps avoid unnecessary vulnerability findings downstream. So if you can help getting this merged and released, that would be really helpful. Thank you! |
|
#4022 fixes CI |
Summary
lodashfrom^4.17.4to^4.18.1inpackages/base/package.json_.template(CVSS 8.6)Context
CVE-2026-4800 (SNYK-JS-LODASH-15869625) affects all lodash versions below 4.18.1. While the codebase only uses
lodash/isEqualand does not call the vulnerable_.templatefunction, the outdated resolution triggers High severity findings in downstream security scanners, blocking release gating and compliance checks.This is a minor version bump with no breaking changes.
Test plan
yarn installresolves without errorslodashresolves to ≥4.18.1 in lockfile