From e388bd7d085212d413ffe2da52fa41cc1ec1a994 Mon Sep 17 00:00:00 2001 From: "renovate-sh-app[bot]" <219655108+renovate-sh-app[bot]@users.noreply.github.com> Date: Thu, 22 Jan 2026 10:51:48 +0000 Subject: [PATCH] chore(deps): update dependency lodash to v4.17.23 [security] (#2236) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [lodash](https://lodash.com/) ([source](https://redirect.github.com/lodash/lodash)) | [`4.17.21` → `4.17.23`](https://renovatebot.com/diffs/npm/lodash/4.17.21/4.17.23) | ![age](https://developer.mend.io/api/mc/badges/age/npm/lodash/4.17.23?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/lodash/4.17.21/4.17.23?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2025-13465](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) ### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ### Patches This issue is patched on 4.17.23. --- ### Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions [CVE-2025-13465](https://nvd.nist.gov/vuln/detail/CVE-2025-13465) / [GHSA-xxjr-mmjv-4gpg](https://redirect.github.com/advisories/GHSA-xxjr-mmjv-4gpg)
More information #### Details ##### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ##### Patches This issue is patched on 4.17.23. #### Severity - CVSS Score: 6.9 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P` #### References - [https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) - [https://nvd.nist.gov/vuln/detail/CVE-2025-13465](https://nvd.nist.gov/vuln/detail/CVE-2025-13465) - [https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81](https://redirect.github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81) - [https://github.com/lodash/lodash](https://redirect.github.com/lodash/lodash) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xxjr-mmjv-4gpg) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
--- ### Release Notes
lodash/lodash (lodash) ### [`v4.17.23`](https://redirect.github.com/lodash/lodash/compare/4.17.21...4.17.23) [Compare Source](https://redirect.github.com/lodash/lodash/compare/4.17.21...4.17.23)
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> --- package.json | 2 +- yarn.lock | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index e5e64e1..642d9ab 100644 --- a/package.json +++ b/package.json @@ -82,7 +82,7 @@ "imports-loader": "5.0.0", "jest": "30.2.0", "jest-environment-jsdom": "30.2.0", - "lodash": "4.17.21", + "lodash": "4.17.23", "mini-css-extract-plugin": "2.10.0", "moment": "2.30.1", "postcss": "8.5.6", diff --git a/yarn.lock b/yarn.lock index 29ce916..116465c 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7621,7 +7621,7 @@ __metadata: imports-loader: "npm:5.0.0" jest: "npm:30.2.0" jest-environment-jsdom: "npm:30.2.0" - lodash: "npm:4.17.21" + lodash: "npm:4.17.23" mini-css-extract-plugin: "npm:2.10.0" moment: "npm:2.30.1" postcss: "npm:8.5.6" @@ -9299,13 +9299,20 @@ __metadata: languageName: node linkType: hard -"lodash@npm:4.17.21, lodash@npm:^4.1.1, lodash@npm:^4.17.15, lodash@npm:^4.17.21, lodash@npm:^4.17.4": +"lodash@npm:4.17.21": version: 4.17.21 resolution: "lodash@npm:4.17.21" checksum: 10c0/d8cbea072bb08655bb4c989da418994b073a608dffa608b09ac04b43a791b12aeae7cd7ad919aa4c925f33b48490b5cfe6c1f71d827956071dae2e7bb3a6b74c languageName: node linkType: hard +"lodash@npm:4.17.23, lodash@npm:^4.1.1, lodash@npm:^4.17.15, lodash@npm:^4.17.21, lodash@npm:^4.17.4": + version: 4.17.23 + resolution: "lodash@npm:4.17.23" + checksum: 10c0/1264a90469f5bb95d4739c43eb6277d15b6d9e186df4ac68c3620443160fc669e2f14c11e7d8b2ccf078b81d06147c01a8ccced9aab9f9f63d50dcf8cace6bf6 + languageName: node + linkType: hard + "long@npm:^5.0.0": version: 5.3.2 resolution: "long@npm:5.3.2"