[Snyk] Security upgrade lodash from 4.17.21 to 4.18.1

[mm-prodsec-bot]

Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• webapp/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-LODASH-15053838	645
	Arbitrary Code Injection SNYK-JS-LODASH-15869625	630
	Prototype Pollution SNYK-JS-LODASH-15869619	545

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Arbitrary Code Injection

Change Impact: 🟢 Low

Regression Risk: Minimal. This is a patch/minor version upgrade within the same major version (lodash 4.x), specifically targeting security fixes without breaking changes (as confirmed by Snyk metadata: isBreakingChange: false). The codebase uses standard, stable lodash utilities (isEqual, cloneDeep, debounce, throttle, difference) that maintain API compatibility across patch/minor versions. The upgrade is isolated to a single file (webapp/package.json) with no code logic changes.

QA Recommendation: Minimal manual QA required. Given that this is a verified security-only upgrade with no breaking changes and the functions used in the codebase are stable utilities unlikely to change behavior, a standard smoke test of core functionality (search, filtering, view operations, input debouncing) would be sufficient. Automated test coverage should provide adequate confidence for this type of dependency update.

Generated by CodeRabbitAI

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 15c86e3b-8b7d-49ed-8aa4-6fd97efa0ea6

📥 Commits

Reviewing files that changed from the base of the PR and between b87f32e and 42c36c7.

📒 Files selected for processing (1)

• webapp/package.json

---

📝 Walkthrough

Walkthrough

The lodash dependency in webapp/package.json has been updated from version ^4.17.21 to ^4.18.1. This is a minor version bump for the utility library, updating the resolved package version range for runtime dependencies.

Changes

Cohort / File(s)	Summary
Dependency Version Update webapp/package.json	Updated lodash dependency from ^4.17.21 to ^4.18.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading lodash from 4.17.21 to 4.18.1 for security purposes, which is the only modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch snyk-fix-c2338f2d396d25c8ff5bd1406d3a4351

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Rajat-Dabade]

@coderabbitai review this PR

[coderabbitai]

🧩 Analysis chain

🌐 Web query:

lodash 4.18.1 npm package version

💡 Result:

lodash@4.18.1 is a published npm release (and is currently the latest dist-tag). Its registry metadata lists the tarball as lodash-4.18.1.tgz and includes integrity/shasum values for verification. [1]

Release notes for 4.18.1 indicate it fixes a ReferenceError affecting modular builds (including template / fromPairs) and references the 4.18.0 → 4.18.1 npm-branch diffs. [2]

Sources: [1] (registry.npmjs.org) [2] (newreleases.io)

Citations:

• 1: https://registry.npmjs.org/lodash/latest
• 2: https://newreleases.io/project/npm/lodash/release/4.18.1

---

🌐 Web query:

SNYK-JS-LODASH-15053838 SNYK-JS-LODASH-15869625 vulnerabilities

💡 Result:

• SNYK-JS-LODASH-15053838 (CVE-2025-13465) — Prototype Pollution in lodash via _.unset and _.omit.

  • Affected: lodash >= 4.0.0 < 4.17.23
  • Severity (Snyk): Medium
  • Fix: Upgrade to lodash >= 4.17.23 (or later). [1]

• SNYK-JS-LODASH-15869625 (CVE-2026-4800) — Arbitrary Code Injection in lodash due to improper validation of options.imports key names in _.template, enabling code execution at template compilation time (and can be worsened by prior prototype pollution).

  • Affected: lodash < 4.18.1 (per Snyk) [2]
  • Severity (Snyk): High [2]
  • Fix: Upgrade to lodash >= 4.18.1. Snyk notes 4.18.0 was intended to fix but was deprecated due to a breaking issue. [2]
  • OpenJS lists CVE-2026-4800 with the same root cause (“Incomplete fix for CVE-2021-23337… via _.template imports key names”). [3]
  • GitHub’s advisory for the issue describes affected versions up to 4.17.23 and indicates patching starting at 4.18.0 (but given Snyk’s deprecation note, 4.18.1 is the safer target). [4]

Practical remediation: If you can, upgrade straight to lodash >= 4.18.1, which addresses both issues. [1][2]

Sources: [1] (security.snyk.io), [2] (security.snyk.io), [3] (cna.openjsf.org), [4] (github.com)

Citations:

• 1: https://security.snyk.io/vuln/SNYK-JS-LODASH-15053838
• 2: https://security.snyk.io/vuln/SNYK-JS-LODASH-15869625
• 3: https://cna.openjsf.org/security-advisories.html
• 4: GHSA-r5fr-rjxr-66jc

---

@Rajat-Dabade: Here is my review of this security upgrade PR:

---

Summary

This PR upgrades lodash from 4.17.21 → 4.18.1 in webapp/package.json to address 3 confirmed vulnerabilities. I've verified both the target version and the vulnerability IDs.

---

✅ Version Validity

lodash 4.18.1 is a published npm release and is currently the latest dist-tag, with a proper registry tarball (lodash-4.18.1.tgz) and integrity/shasum values. The upgrade target is legitimate.

⚠️ Note: lodash 4.18.0 was intended to fix the code injection issue but was deprecated due to a breaking issue, making 4.18.1 the correct and safe fix target.

---

🔐 Vulnerabilities Fixed

ID	Type	Severity	Details
SNYK-JS-LODASH-15053838	Prototype Pollution	Medium	Affects lodash >= 4.0.0 < 4.17.23 via _.unset and _.omit.
SNYK-JS-LODASH-15869625	Arbitrary Code Injection	High	Affects lodash < 4.18.1 due to improper validation of options.imports key names in _.template, enabling code execution at template compilation time.
SNYK-JS-LODASH-15869619	Prototype Pollution	Medium	Additional prototype pollution issue, fixed in >= 4.18.1.

---

📝 Assessment

• Scope: Only webapp/package.json is modified — a minimal, targeted change.
• Breaking changes: Per Snyk's metadata, this upgrade is marked as non-breaking ("isBreakingChange": false).
• Risk: Low. The change is a patch/minor bump fixing active security vulnerabilities.

Recommendation: ✅ This PR is safe to merge. The upgrade is well-scoped, the target version is verified on npm, and the vulnerabilities being fixed are real and significant (particularly the high-severity code injection in _.template).

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.