From cf56cc6c0ae9b05393a19d63b3bae1922cee689b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Apr 2026 15:12:19 +0000 Subject: [PATCH 1/2] chore(deps): bump lodash from 4.17.23 to 4.18.1 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index aa16d3f..6350ada 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,7 +11,7 @@ "dependencies": { "@actions/core": "^2.0.3", "@actions/exec": "^2.0.0", - "lodash": "^4.17.23" + "lodash": "^4.18.1" }, "devDependencies": { "@jest/globals": "^30.3.0", @@ -4959,9 +4959,9 @@ } }, "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "license": "MIT" }, "node_modules/lodash.memoize": { diff --git a/package.json b/package.json index 636eb81..71795fe 100644 --- a/package.json +++ b/package.json @@ -70,7 +70,7 @@ "dependencies": { "@actions/core": "^2.0.3", "@actions/exec": "^2.0.0", - "lodash": "^4.17.23" + "lodash": "^4.18.1" }, "devDependencies": { "@jest/globals": "^30.3.0", From 27d89b94a45c3fc1a3926996d4c571e24df42bb8 Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Mon, 13 Apr 2026 08:16:18 -0700 Subject: [PATCH 2/2] chore: add transpiled js --- dist/index.js | 65 ++++++++++++++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 27 deletions(-) diff --git a/dist/index.js b/dist/index.js index 970daf9..9cef71c 100644 --- a/dist/index.js +++ b/dist/index.js @@ -3465,7 +3465,7 @@ function copyFile(srcFile, destFile, force) { var undefined; /** Used as the semantic version number. */ - var VERSION = '4.17.23'; + var VERSION = '4.18.1'; /** Used as the size to enable large array optimizations. */ var LARGE_ARRAY_SIZE = 200; @@ -3473,7 +3473,8 @@ function copyFile(srcFile, destFile, force) { /** Error message constants. */ var CORE_ERROR_TEXT = 'Unsupported core-js use. Try https://npms.io/search?q=ponyfill.', FUNC_ERROR_TEXT = 'Expected a function', - INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`'; + INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`', + INVALID_TEMPL_IMPORTS_ERROR_TEXT = 'Invalid `imports` option passed into `_.template`'; /** Used to stand-in for `undefined` hash values. */ var HASH_UNDEFINED = '__lodash_hash_undefined__'; @@ -5205,6 +5206,10 @@ function copyFile(srcFile, destFile, force) { * embedded Ruby (ERB) as well as ES2015 template strings. Change the * following template settings to use alternative delimiters. * + * **Security:** See + * [threat model](https://github.com/lodash/lodash/blob/main/threat-model.md) + * — `_.template` is insecure and will be removed in v5. + * * @static * @memberOf _ * @type {Object} @@ -5753,7 +5758,7 @@ function copyFile(srcFile, destFile, force) { * @name has * @memberOf SetCache * @param {*} value The value to search for. - * @returns {number} Returns `true` if `value` is found, else `false`. + * @returns {boolean} Returns `true` if `value` is found, else `false`. */ function setCacheHas(value) { return this.__data__.has(value); @@ -7824,7 +7829,9 @@ function copyFile(srcFile, destFile, force) { function baseUnset(object, path) { path = castPath(path, object); - // Prevent prototype pollution, see: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg + // Prevent prototype pollution: + // https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg + // https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh var index = -1, length = path.length; @@ -7832,32 +7839,17 @@ function copyFile(srcFile, destFile, force) { return true; } - var isRootPrimitive = object == null || (typeof object !== 'object' && typeof object !== 'function'); - while (++index < length) { - var key = path[index]; - - // skip non-string keys (e.g., Symbols, numbers) - if (typeof key !== 'string') { - continue; - } + var key = toKey(path[index]); // Always block "__proto__" anywhere in the path if it's not expected if (key === '__proto__' && !hasOwnProperty.call(object, '__proto__')) { return false; } - // Block "constructor.prototype" chains - if (key === 'constructor' && - (index + 1) < length && - typeof path[index + 1] === 'string' && - path[index + 1] === 'prototype') { - - // Allow ONLY when the path starts at a primitive root, e.g., _.unset(0, 'constructor.prototype.a') - if (isRootPrimitive && index === 0) { - continue; - } - + // Block constructor/prototype as non-terminal traversal keys to prevent + // escaping the object graph into built-in constructors and prototypes. + if ((key === 'constructor' || key === 'prototype') && index < length - 1) { return false; } } @@ -10414,7 +10406,7 @@ function copyFile(srcFile, destFile, force) { /** * Creates an array with all falsey values removed. The values `false`, `null`, - * `0`, `""`, `undefined`, and `NaN` are falsey. + * `0`, `-0`, `0n`, `""`, `undefined`, and `NaN` are falsy. * * @static * @memberOf _ @@ -10953,7 +10945,7 @@ function copyFile(srcFile, destFile, force) { while (++index < length) { var pair = pairs[index]; - result[pair[0]] = pair[1]; + baseAssignValue(result, pair[0], pair[1]); } return result; } @@ -17613,6 +17605,8 @@ function copyFile(srcFile, destFile, force) { * **Note:** JavaScript follows the IEEE-754 standard for resolving * floating-point values which can produce unexpected results. * + * **Note:** If `lower` is greater than `upper`, the values are swapped. + * * @static * @memberOf _ * @since 0.7.0 @@ -17626,9 +17620,16 @@ function copyFile(srcFile, destFile, force) { * _.random(0, 5); * // => an integer between 0 and 5 * + * // when lower is greater than upper the values are swapped + * _.random(5, 0); + * // => an integer between 0 and 5 + * * _.random(5); * // => also an integer between 0 and 5 * + * _.random(-5); + * // => an integer between -5 and 0 + * * _.random(5, true); * // => a floating-point number between 0 and 5 * @@ -18230,6 +18231,10 @@ function copyFile(srcFile, destFile, force) { * properties may be accessed as free variables in the template. If a setting * object is given, it takes precedence over `_.templateSettings` values. * + * **Security:** `_.template` is insecure and should not be used. It will be + * removed in Lodash v5. Avoid untrusted input. See + * [threat model](https://github.com/lodash/lodash/blob/main/threat-model.md). + * * **Note:** In the development build `_.template` utilizes * [sourceURLs](http://www.html5rocks.com/en/tutorials/developertools/sourcemaps/#toc-sourceurl) * for easier debugging. @@ -18337,12 +18342,18 @@ function copyFile(srcFile, destFile, force) { options = undefined; } string = toString(string); - options = assignInWith({}, options, settings, customDefaultsAssignIn); + options = assignWith({}, options, settings, customDefaultsAssignIn); - var imports = assignInWith({}, options.imports, settings.imports, customDefaultsAssignIn), + var imports = assignWith({}, options.imports, settings.imports, customDefaultsAssignIn), importsKeys = keys(imports), importsValues = baseValues(imports, importsKeys); + arrayEach(importsKeys, function(key) { + if (reForbiddenIdentifierChars.test(key)) { + throw new Error(INVALID_TEMPL_IMPORTS_ERROR_TEXT); + } + }); + var isEscaping, isEvaluating, index = 0,