Skip to content

EUREKA-883: Bump lodash 4.17.21 -> ^4.18.1 fix CVEs#3593

Merged
zburke merged 3 commits into
R1-2025-okapifrom
EUREKA-883-lodash
Jun 24, 2026
Merged

EUREKA-883: Bump lodash 4.17.21 -> ^4.18.1 fix CVEs#3593
zburke merged 3 commits into
R1-2025-okapifrom
EUREKA-883-lodash

Conversation

@julianladisch

@julianladisch julianladisch commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

…26-2950

https://folio-org.atlassian.net/browse/EUREKA-883

Bump lodash from 4.17.21 to ^4.18.0 in resolutions section of package.json.

This fixes

* GHSA-xxjr-mmjv-4gpg CVE-2025-13465 - lodash prototype pollution
* GHSA-f23m-r3pf-42rh CVE-2026-2950 - lodash Prototype Pollution
@julianladisch julianladisch changed the title EUREKA-883: Bump lodash 4.17.21 -> 4.17.23 fix CVE-2025-13465 EUREKA-883: Bump lodash 4.17.21 -> ^4.18.0 fix CVEs Apr 23, 2026
@julianladisch julianladisch changed the title EUREKA-883: Bump lodash 4.17.21 -> ^4.18.0 fix CVEs EUREKA-883: Bump lodash 4.17.21 -> ^4.18.1 fix CVEs Apr 28, 2026
ryandberger
ryandberger previously approved these changes Apr 30, 2026
zburke
zburke previously approved these changes Jun 15, 2026
`@folio/stripes-build` `1.1.0` includes `@folio/stripes-webpack`
`6.1.0`, which omits a transitive dependency on `sharp` that relied on a
post-install script. NPM lifecycle scripts were disabled in build
infrastructure in
folio-org/jenkins-pipeline-libs#162 to address
FOLIO-4492.
@zburke zburke dismissed stale reviews from ryandberger and themself via 66ddbf5 June 23, 2026 19:59
`@folio/stripes-build` `1.1.1` updates `webpack` to `^5.104.1` to
satisfy a feature requirement from `@folio/stripes-webpack` for
STRWEB-144, details at
folio-org/stripes-webpack#175. Yes, this change
in the peer-deep requirements should have been labeled as a breaking
change.
@zburke zburke merged commit 53d1b7a into R1-2025-okapi Jun 24, 2026
4 checks passed
@zburke zburke deleted the EUREKA-883-lodash branch June 24, 2026 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants