Summary
The lodash dependency is pinned using a tilde range (~4.17.23), which only permits patch updates within the 4.17.x line. Lodash 4.18.0 was recently released to address CVE-2026-4800, a code injection vulnerability in the _.template function. Because of the tilde constraint, consumers of api-extractor cannot receive this security fix without an explicit update to the package.json in this repository.
More broadly, several other dependencies in api-extractor also use tilde ranges (e.g., @microsoft/tsdoc, resolve, semver, source-map). Switching these to caret ranges would allow consumers to benefit from minor version updates - including security patches - without requiring a new api-extractor release.
Repro steps
Expected result: Consumers can receive lodash security patches (e.g., 4.18.0) when regenerating their lockfiles.
Actual result: The ~4.17.23 constraint prevents resolution to 4.18.0, leaving consumers exposed to CVE-2026-4800 until api-extractor explicitly updates its dependency.
Details
Suggested change:
Broader suggestion: Consider updating all tilde-pinned dependencies to use caret ranges, allowing minor version updates that could include security patches.
Using a caret range would allow minor version updates (4.17.x → 4.18.x), enabling consumers to automatically receive security patches that are published in minor releases.
References:
Standard questions
| Question |
Answer |
@microsoft/api-extractor version? |
7.57.8 |
| Operating system? |
Mac |
| API Extractor scenario? |
rollups (.d.ts) |
| Would you consider contributing a PR? |
Yes |
| TypeScript compiler version? |
5.5.4 |
Node.js version (node -v)? |
24.14.0 |
Summary
The lodash dependency is pinned using a tilde range (
~4.17.23), which only permits patch updates within the 4.17.x line. Lodash 4.18.0 was recently released to address CVE-2026-4800, a code injection vulnerability in the_.templatefunction. Because of the tilde constraint, consumers of api-extractor cannot receive this security fix without an explicit update to the package.json in this repository.More broadly, several other dependencies in api-extractor also use tilde ranges (e.g.,
@microsoft/tsdoc,resolve,semver,source-map). Switching these to caret ranges would allow consumers to benefit from minor version updates - including security patches - without requiring a new api-extractor release.Repro steps
Expected result: Consumers can receive lodash security patches (e.g., 4.18.0) when regenerating their lockfiles.
Actual result: The
~4.17.23constraint prevents resolution to 4.18.0, leaving consumers exposed to CVE-2026-4800 until api-extractor explicitly updates its dependency.Details
Suggested change:
Broader suggestion: Consider updating all tilde-pinned dependencies to use caret ranges, allowing minor version updates that could include security patches.
Using a caret range would allow minor version updates (4.17.x → 4.18.x), enabling consumers to automatically receive security patches that are published in minor releases.
References:
Standard questions
@microsoft/api-extractorversion?node -v)?