Skip to content

fix(deps): bump lodash to ^4.18.1 (CVE-2026-4800)#4019

Open
rodrigosf672 wants to merge 3 commits into
jupyter-widgets:mainfrom
rodrigosf672:bump-lodash-4.18.1
Open

fix(deps): bump lodash to ^4.18.1 (CVE-2026-4800)#4019
rodrigosf672 wants to merge 3 commits into
jupyter-widgets:mainfrom
rodrigosf672:bump-lodash-4.18.1

Conversation

@rodrigosf672

@rodrigosf672 rodrigosf672 commented May 28, 2026

Copy link
Copy Markdown

Summary

  • Bumps lodash from ^4.17.4 to ^4.18.1 in packages/base/package.json
  • Addresses High severity arbitrary code injection vulnerability in _.template (CVSS 8.6)
  • Updates yarn.lock accordingly

Context

CVE-2026-4800 (SNYK-JS-LODASH-15869625) affects all lodash versions below 4.18.1. While the codebase only uses lodash/isEqual and does not call the vulnerable _.template function, the outdated resolution triggers High severity findings in downstream security scanners, blocking release gating and compliance checks.

This is a minor version bump with no breaking changes.

Test plan

  • yarn install resolves without errors
  • lodash resolves to ≥4.18.1 in lockfile
  • Existing test suite passes

@github-actions

Copy link
Copy Markdown

Binder 👈 Launch a binder notebook on branch rodrigosf672/ipywidgets/bump-lodash-4.18.1

@goelakash goelakash left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment, but LGTM otherwise

Comment thread packages/base/package.json
@rodrigosf672 rodrigosf672 requested a review from goelakash June 7, 2026 14:14
@rodrigosf672

Copy link
Copy Markdown
Author

@jasongrout, the failed CI here is likely unrelated to this upgrade. Could you (or another maintainer) please re-trigger it and help me getting this merged? Thank you in advance!

@martinRenou

martinRenou commented Jun 9, 2026

Copy link
Copy Markdown
Member

Thanks for doing this!

Addresses High severity arbitrary code injection vulnerability in _.template (CVSS 8.6)

We are not using this method here. I guess it's fair to say we're not impacted by this vulnerability then?

(I'm more or less asking if I should make it my top priority to help getting this merged and released.)

@rodrigosf672

Copy link
Copy Markdown
Author

Thanks for doing this!

Addresses High severity arbitrary code injection vulnerability in _.template (CVSS 8.6)

We are not using this method here. I guess it's fair to say we're not impacted by this vulnerability then?

(I'm more or less asking if I should make it my top priority to help getting this merged and released.)

Since _.template isn't used, I'd agree this is not an urgent exploitable issue for ipywidgets.

That said, many users rely on the automated security scanning, and keeping the dependencies on patched versions helps avoid unnecessary vulnerability findings downstream.

So if you can help getting this merged and released, that would be really helpful. Thank you!

@krassowski

Copy link
Copy Markdown
Contributor

#4022 fixes CI

Comment thread yarn.lock Outdated
@rodrigosf672 rodrigosf672 requested a review from martinRenou June 16, 2026 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants