diff --git a/.gitignore b/.gitignore
index 7f12a4e..154db02 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 node_modules
 tmp
 npm-debug.log
-.vscode
\ No newline at end of file
+.vscode
+.idea/
+.DS_Store
diff --git a/README.md b/README.md
index 9a084b5..50a7893 100644
--- a/README.md
+++ b/README.md
@@ -325,6 +325,10 @@ When you visit the site, you'll see the output of various cfenv calls.
 changes
 ================================================================================
 
+**1.2.6** - 2026/04/16
+
+- upgrade `underscore` to `1.13.x` to address `CVE-2026-27601` and [GHSA-qpx9-hpmf-5gmw](https://github.com/advisories/GHSA-qpx9-hpmf-5gmw) - pr #58
+
 **1.2.5** - 2025/12/01
 
 - upgrade `js.yaml` to 4.1.x for [CVE-2025-64718][] - [pr #56][]
diff --git a/package.json b/package.json
index f52a8ff..cc54868 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
     "name": "cfenv",
     "main": "./lib/cfenv",
     "description": "easy access to your Cloud Foundry application environment",
-    "version": "1.2.5",
+    "version": "1.2.6",
     "author": "pmuellr",
     "license": "Apache-2.0",
     "homepage": "https://github.com/cloudfoundry-community/node-cfenv",
@@ -19,7 +19,7 @@
     "dependencies": {
         "js-yaml": "4.1.x",
         "ports": "1.1.x",
-        "underscore": "1.12.x"
+        "underscore": "1.13.x"
     },
     "devDependencies": {
         "coffeescript": "1.12.x",