chore(deps): update dependency lodash to v4.17.23 [security] (#2236)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [lodash](https://lodash.com/)
([source](https://redirect.github.com/lodash/lodash)) | [`4.17.21` →
`4.17.23`](https://renovatebot.com/diffs/npm/lodash/4.17.21/4.17.23) |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2025-13465](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg)
### Impact
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype
pollution in the `_.unset` and `_.omit` functions. An attacker can pass
crafted paths which cause Lodash to delete methods from global
prototypes.
The issue permits deletion of properties but does not allow overwriting
their original behavior.
### Patches
This issue is patched on 4.17.23.
---
### Lodash has Prototype Pollution Vulnerability in `_.unset` and
`_.omit` functions
[CVE-2025-13465](https://nvd.nist.gov/vuln/detail/CVE-2025-13465) /
[GHSA-xxjr-mmjv-4gpg](https://redirect.github.com/advisories/GHSA-xxjr-mmjv-4gpg)
<details>
<summary>More information</summary>
#### Details
##### Impact
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype
pollution in the `_.unset` and `_.omit` functions. An attacker can pass
crafted paths which cause Lodash to delete methods from global
prototypes.
The issue permits deletion of properties but does not allow overwriting
their original behavior.
##### Patches
This issue is patched on 4.17.23.
#### Severity
- CVSS Score: 6.9 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P`
#### References
-
[https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg)
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-13465](https://nvd.nist.gov/vuln/detail/CVE-2025-13465)
-
[edadd45214)
-
[https://github.com/lodash/lodash](https://redirect.github.com/lodash/lodash)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-xxjr-mmjv-4gpg) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>lodash/lodash (lodash)</summary>
###
[`v4.17.23`](https://redirect.github.com/lodash/lodash/compare/4.17.21...4.17.23)
[Compare
Source](https://redirect.github.com/lodash/lodash/compare/4.17.21...4.17.23)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
## Need help?
You can ask for more help in the following Slack channel:
#proj-renovate-self-hosted. In that channel you can also find ADR and
FAQ docs in the Resources section.
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44Mi4zIiwidXBkYXRlZEluVmVyIjoiNDIuODIuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5Ok1FRElVTSJdfQ==-->
Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
This commit is contained in:
renovate-sh-app[bot]
committed by
GitHub
GitHub
parent
ff4ddc6ead
commit
e388bd7d08
@@ -82,7 +82,7 @@
|
||||
"imports-loader": "5.0.0",
|
||||
"jest": "30.2.0",
|
||||
"jest-environment-jsdom": "30.2.0",
|
||||
"lodash": "4.17.21",
|
||||
"lodash": "4.17.23",
|
||||
"mini-css-extract-plugin": "2.10.0",
|
||||
"moment": "2.30.1",
|
||||
"postcss": "8.5.6",
|
||||
|
||||
Reference in New Issue
Block a user