chore(deps): update dependency lodash to v4.18.1 [security]#17278
Merged
Conversation
renovate
Bot
force-pushed
the
renovate/npm-lodash-vulnerability
branch
from
bb81c58 to
c44c238
Compare
renovate
Bot
force-pushed
the
renovate/npm-lodash-vulnerability
branch
from
c44c238 to
0b29275
Compare
m10i-0nyx
pushed a commit
to foundation0-link/misskey
that referenced
this pull request
Apr 28, 2026
…dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
m10i-0nyx
pushed a commit
to foundation0-link/misskey
that referenced
this pull request
Apr 28, 2026
…dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
m10i-0nyx
pushed a commit
to foundation0-link/misskey
that referenced
this pull request
Apr 28, 2026
…dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
m10i-0nyx
pushed a commit
to foundation0-link/misskey
that referenced
this pull request
Apr 28, 2026
…dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
m10i-0nyx
pushed a commit
to foundation0-link/misskey
that referenced
this pull request
Apr 30, 2026
…dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
m10i-0nyx
pushed a commit
to foundation0-link/misskey
that referenced
this pull request
Apr 30, 2026
…dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
m10i-0nyx
pushed a commit
to foundation0-link/misskey
that referenced
this pull request
Apr 30, 2026
…dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
anatawa12
added a commit
to anatawa12/misskey
that referenced
this pull request
May 7, 2026
* [skip ci] Update CHANGELOG.md (prepend template) * deps: update dependencies (misskey-dev#17263) * deps: update dependencies * fix? * fix * Update AiService.ts * fix * update deps * fix(backend): /api-doc にアクセスできない問題を修正 (misskey-dev#17267) * Initial plan * fix: fix /api-doc returning 404 after backend minification (misskey-dev#17266) Agent-Logs-Url: https://github.com/misskey-dev/misskey/sessions/8d7d0585-55da-412f-a8ee-dde1b6565026 Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * enhance: API DocのHTMLをJSXで生成するように * Update Changelog * chore: remove unused imports [ci skip] --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> Co-authored-by: kakkokari-gtyih <67428053+kakkokari-gtyih@users.noreply.github.com> * deps: Update vite to v8 (misskey-dev#17238) * deps: Update vite to v8 * fix * migrate some plugins to rolldown-based * fix broken lockfile * wip * update rolldown * override rolldown version * perf * spdx * fix * update vite to 8.0.1 * chore: rewrite rollup-plugin-unwind-css-module-class-name with MagicString * format * swap type definitions * replace using MagicString * provided magicString * fix code style * fix * fix * fix * fix * fix --------- Co-authored-by: kakkokari-gtyih <67428053+kakkokari-gtyih@users.noreply.github.com> * fix: lint fixes * swap sass with sass-embedded * fix lint * fix: インライン化されたVue SFC出力に対してCSS Module定義削除が効かないのを修正 * fix * fix: バックエンドのCSS読み込みの方法が悪いのを修正 * fix: 使用されないpreloadを削除 * fix lint [ci skip] * Apply suggestion from @syuilo * Add comment in pnpm-workspace.yaml [ci skip] * update vite/rolldown * remove magic-string --------- Co-authored-by: cm-ayf <cm.ayf2734@gmail.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * fix(backend): handle array or string in alsoKnownAs (misskey-dev#17275) * fix: handle array or string in alsoKnownAs, closes misskey-dev#17274 * style: use more idiomatic toArray() for UserEntityService handling of alsoKnownAs * fix: handle array-valued or unwrapped alsoKnownAs in ApPersonService * doc: note about bugfix for alsoKnownAs * enhance(frontend): チャンネル指定リノートでリノート先のチャンネルに移動できるように (misskey-dev#17280) * enhance(frontend): チャンネル指定リノートでリノート先のチャンネルに移動できるように * Update Changelog * fix condition * refactor * Revert "deps: Update vite to v8" (misskey-dev#17283) Revert "deps: Update vite to v8 (misskey-dev#17238)" This reverts commit e601fcb. * Bump version to 2026.4.0-alpha.0 * refactor(frontend): MkButtonのprops等整理 (misskey-dev#17282) * refactor(frontend): MkButtonのprops等整理 * fix * enhance(frontend): improve nested popup menu ux (misskey-dev#17187) * wip * Update MkMenu.vue * wip * wip * Update MkMenu.vue * wip * Update MkMenu.vue * Update MkMenu.vue * Update MkMenu.vue * Update MkMenu.vue * Update MkMenu.vue * Update MkMenu.vue * Update MkMenu.vue * Update MkMenu.vue * 💢 * Update MkMenu.vue * Update MkMenu.vue * Update MkMenu.vue * New Crowdin updates (misskey-dev#17260) * New translations ja-jp.yml (Thai) * New translations ja-jp.yml (Lao) * New translations ja-jp.yml (Chinese Traditional) * New translations ja-jp.yml (Italian) * New translations ja-jp.yml (Spanish) * New translations ja-jp.yml (Italian) * New translations ja-jp.yml (Catalan) * New translations ja-jp.yml (Chinese Simplified) * New translations ja-jp.yml (Chinese Traditional) * New translations ja-jp.yml (Korean) * New translations ja-jp.yml (Italian) * fix(frontend): routerがmatchAllに入った際に一度 `location.href` による遷移を試みる挙動に関する修正 (misskey-dev#17281) * fix(frontend): follow-up of misskey-dev#13509 * fix: fix use of inappropriate method * Update CHANGELOG.md [ci skip] * Bump version to 2026.4.0-alpha.1 * enhance(frontend): niraxにテストを追加 (misskey-dev#17287) * fix(frontend): follow-up of misskey-dev#13509 * fix: fix use of inappropriate method * enhance(frontend): niraxにテストを追加 * fix(frontend): follow-up of misskey-dev#17282 * refactor(frontend): refactor deck events (misskey-dev#17290) * enhance(frontend): update vite to v8 再 (misskey-dev#17289) * Revert "Revert "deps: Update vite to v8" (misskey-dev#17283)" This reverts commit a18c909. * fix(frontend): popupのりアクティビティがチャンクをまたいで切れる事がある問題を修正 * update vite/rolldown * Bump version to 2026.4.0-alpha.2 * perf(frontend): improve about#emojis rendering performance * fix(frontend): bannerUrl が空の場合に /about ページで /null へのアクセスが発生する問題を修正 (misskey-dev#17299) fix(frontend): bannerUrl が空の場合に /about ページで /null へのリクエストが発生する問題を修正 bannerUrl が空の場合は 背景画像を設定しない。 about.overview.vue の background-image: url("null"); によって /null へのリクエストが発生してしまうため。 * fix(frontend): 連合が無効化されたサーバーでInstance Tickerの設定が中途半端に消えている問題を修正 (misskey-dev#17303) * fix(frontend): 連合が無効化されたサーバーでInstance Tickerの設定が中途半端に消えている問題を修正 * Update Changelog * fix(frontend): ドライブへの画像アップロード時にファイル名の変更が無視される不具合を修正 (misskey-dev#17302) * ドライブの実ファイル名ではなくsuffixを保持するように * MkUploaderItemsでファイル名が圧縮後の拡張子も含めて表示されるように * Apply suggestion from @kakkokari-gtyih Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com> * changelog --------- Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * fix(backend): 存在しないActorに対するDeleteアクティビティは無視するように (misskey-dev#17294) * fix(backend): 存在しないActorに対するDeleteアクティビティは無視するように * Update Changelog * fix * Revert "fix" This reverts commit 985feea. * fix? * fix * fix * fix * fix * refactor: remove unused imports * fix * Update CHANGELOG.md [ci skip] * Bump version to 2026.4.0-alpha.3 * deps: Update dependencies (misskey-dev#17304) * update deps * update dependencies (major) * fix: migrate meilisearch * fix: migrate color-convert types * fix cypress? * rollback ts v5 as it is not supported by cypress * fix fake-timers * chore(deps): update dependency lodash to v4.18.1 [security] (misskey-dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(backend): ULIDを正しく処理できない問題を修正 (misskey-dev#17310) fix(backend): fix parseUlidFull to correctly handle Crockford Base32 chars W/X/Y/Z * Update CHANGELOG.md for misskey-dev#17310 [ci skip] * fix(backend): robots.txtで返却する内容の調整 (misskey-dev#17165) * fix(backend): robots.txtで返却する内容の調整 * Update Changelog * fix: add paths * Update Changleog * fix(backend): attempt to fix flaky e2e test on home timeline streaming (misskey-dev#17312) * fix(backend): fix flaky e2e test on recursive drive folder check (misskey-dev#17311) * fix(backend): Prevent retry of inbox jobs with role-based validation errors (misskey-dev#17167) * Initial plan * Handle too many mentions error in inbox without retry Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * Update CHANGELOG.md * Bump version to 2026.4.0-alpha.4 * refactor(frontend): ロールポリシーエディタを統合 (misskey-dev#17125) * refactor(frontend): ロールポリシーエディタを統合 * fix * fix lint * clean up * fix * fix lint * enhance: アバターデコレーションへのカテゴリの導入 (misskey-dev#17034) * feat(backend): AvatarDecorationにcategoryを追加し、関連APIのプロパティ・戻り値にも反映 * feat(frontend): アバターデコレーションのカテゴリ設定機能 * chore(frontend): 管理画面とユーザー側の画面で、アバターデコレーションのグループ化のコードをある程度統一 * CHANGELOGを更新 * fix: group-avatar-decorations.tsを使用するよう修正 * chore: コーディング規約への準拠 * 型エラーを解消 * Update CHANGELOG.md * fix(backend): handle relay-delivered Announce activities correctly (misskey-dev#17308) * fix(backend): handle relay-delivered Announce activities correctly Relay Announce activities now use the target note URI instead of the Announce URI for federation allowlist checks, dedup locking, and existence lookups. Notes delivered via relay are published directly to the notes stream without creating a renote. Closes misskey-dev#11056 * Update packages/backend/src/core/RelayService.ts Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> --------- Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * Bump version to 2026.4.0-alpha.5 * enhance(backend): bundle backend using Rolldown (misskey-dev#17068) * enhance(backend): bundle backend using rolldown * fix * fix [ci skip] * remove unused build script * fix * enhance: 起動からlistenまでかかる時間を減らす (MisskeyIO#1410) * ✌️ * fix * update rolldown * fix(backend): extract static error classes to avoid rolldown design:paramtypes omission * update rolldown * Revert "fix(backend): extract static error classes to avoid rolldown design:paramtypes omission" This reverts commit e2243c9. * fix * perf: avoid generating sourcemap in production * fix * fix * fix * fix paths * fix * fix * fix * fix * fix * enhance: バックエンドの開発サーバー制御をrolldown側で行うように * remove nodemon * Update Changelog * tweak config * fix * fix * fix * clean up --------- Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com> Co-authored-by: bab <mashirohira@gmail.com> * fix(backend): devサーバーの起動に失敗することがある問題を修正 (misskey-dev#17317) * fix(backend): devサーバーの起動に失敗することがある問題を修正? * fix * deps: update security dependencies (misskey-dev#17318) * Bump version to 2026.4.0-alpha.6 * Update CHANGELOG.md * enhance(backend/test): Migrate tests to vitest (misskey-dev#16935) * wip * update fake-timers and migrate * fix * remove jest-mock * fix * fix * fix * fix * attempt to fix unit tests * attempt to fix e2e tests * fix federation test [ci skip] * attempt to fix e2e tests * fix typecheck * fix unit tests * fix * attempt to fix e2e * fix * Revert "attempt to fix e2e" This reverts commit b7b7b05. * attempt to fix e2e * revert attempt to fix e2e * update deps * update vitest * migrate * attempt to fix e2e * update * fix * remove vite swc plugin as oxc parser can handle decorators * attempt to fix drive/files/create test * Revert "attempt to fix drive/files/create test" This reverts commit 4715153. * fix: エンドポイントにまつわるテストをunitからe2eに移動 * attempt to fix e2e * remove swc * attempt to fix e2e * Revert "attempt to fix e2e" This reverts commit 9fb86a4. * add logs for debug * attempt to fix e2e * Partially revert "attempt to fix e2e" This reverts commit fb0008c. * attempt to fix test * fix: attempt to fix test * Revert "fix: attempt to fix test" This reverts commit ed2f5c4. * Revert "attempt to fix test" This reverts commit d7329c4. * attempt to fix e2e * fix: surpass eventemitter warning by increasing defaultMaxListeners * attempt to fix e2e * fix * fix e2e not ending properly * exp: add hanging-process reporter for investigation * Revert "exp: add hanging-process reporter for investigation" This reverts commit 26851f8. * update changelog * fix(frontend): loosen MkButton props type (misskey-dev#17329) * deps: update security dependencies (misskey-dev#17330) * deps: update security dependencies * deps: update some major dependencies * attempt to fix tsconfig * attempt to fix tsconfig * attempt to fix tsconfig * fix build * fix(gh): misskey-jsがpublishされない問題を修正 * Bump version to 2026.4.0-beta.0 * fix(backend): `RoleService.getAdministratorIds` でユーザーIDが重複する問題を修正 (misskey-dev#17334) * fix(backend): adminロールが複数付いてても通知が重複しないように * add tests * Update Changelog * ✌️ Co-Authored-by: lqvp <183242690+lqvp@users.noreply.github.com> --------- Co-authored-by: lqvp <183242690+lqvp@users.noreply.github.com> * fix(backend): meilisearchを使用していない場合のnoteSearchableScopeの値が誤っている問題を修正 (misskey-dev#17341) * fix(backend): meilisearchを使用していない場合のnoteSearchableScopeの値が誤っている問題を修正 * Update Changelog * fix: change bare activity.actor to getApId(activity.actor) in InboxPr… (misskey-dev#17340) * fix: change bare activity.actor to getApId(activity.actor) in InboxProcessorService (closes misskey-dev#17338) * doc: update CHANGELOG.md to note fix for misskey-dev#17338 * fix: additional activity.actor wrappers in ApInboxService * Update CHANGELOG.md --------- Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * fix(backend): ブロックしたインスタンスのInboxジョブが蓄積し続ける問題を修正 (misskey-dev#17336) * fix(backend): ブロックしたインスタンスのInboxジョブが蓄積し続ける問題を修正 * refactor * Upddate changelog --------- Co-authored-by: lqvp <183242690+lqvp@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * enhance(frontend): 子メニュー表示時のガードがradioでも効くように * type: 'radio'なMenuItemが機能しなくなっている問題を修正 (misskey-dev#17344) * fix * Update CHANGELOG.md * fix(frontend): MenuRadioの指定方法変更 (misskey-dev#17345) * fix(frontend): MenuRadioの指定方法変更 * fix indent --------- Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * fix(backend): ノート通知で公開範囲を考慮するように (misskey-dev#17335) * fix(backend): ノート通知で公開範囲を考慮するように * refactor: remove unused imports * Update Changelog * Update Changelog * fix: フォロワー限定ノートは通知 --------- Co-authored-by: lqvp <183242690+lqvp@users.noreply.github.com> * fix: redirect beta/alpha/rc "what's new" button to GitHub releases page (misskey-dev#17347) * Initial plan * fix: redirect beta/alpha/rc update info button to GitHub releases page Agent-Logs-Url: https://github.com/misskey-dev/misskey/sessions/4ac22dd9-13dd-4ef2-a6f7-d68cfda4a19f Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * Bump version to 2026.4.0-beta.1 * Update CHANGELOG for misskey-dev#17347 * fix(deps): update dependency sanitize-html to v2.17.3 [security] (misskey-dev#17319) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(frontend): まれにリアクション・絵文字ピッカーが動作しなくなる問題を修正 (misskey-dev#17349) * Revert "fix(frontend): popupのりアクティビティがチャンクをまたいで切れる事がある問題を修正" This reverts commit 0a93f52. * fix: iOS PWA でリアクション・絵文字ピッカーが動作しない問題を修正 Agent-Logs-Url: https://github.com/lqvp/misskey-tempura/sessions/44526368-0e6a-4a94-8991-fcdc094d2b96 Co-authored-by: lqvp <183242690+lqvp@users.noreply.github.com> * refactor * fix --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lqvp <183242690+lqvp@users.noreply.github.com> * Bump version to 2026.4.0-beta.2 * Bump version to 2026.5.0-alpha.0 * Update CHANGELOG.md * fix: review fixes for v2026.5.0 release (misskey-dev#17350) * fix/perf: NotificationManager in NoteCreateService * fix: treat skip as successful return in InboxProcessorService * chore: remove comment * fix: simplify ReactionPicker/EmojiPicker by importing components directly * refactor: move filename parsing to setup in MkUploaderItems * refactor * Release: 2026.5.0 * [skip ci] Update CHANGELOG.md (prepend template) * fix(backend): ULID使用時にnotificationTimelineへのXADDが失敗し続け、通知が約10秒遅延する問題を修正 (misskey-dev#17358) * devcontainer用dbコンテナのvolumeのマウントパスを変更 (misskey-dev#17360) * `.devcontainer/compose.yml`のvolumeのマウントパスを修正 * CHANGELOGの更新 * fix(backend): 公開範囲がフォロワーの投稿が通知されない問題を修正 (misskey-dev#17363) * fix(backend): 公開範囲がフォロワーの投稿が通知されない問題を修正 * Udpate Changelog * fix: update summaly (misskey-dev#17355) * fix: update summaly * Update Changelog * Bump version to 2026.5.1-alpha.0 * Fix(frontend): ロール設定画面でロールをアサイン/アサイン解除した際、リロードしなくても画面に反映されるよう修正 (misskey-dev#17365) * ロールの付与、剥奪後にPaginatorのリロードを行って表示を更新する処理を追加 * CHANGELOGを更新 * enhance: Add `canCreateChannel` role policy (misskey-dev#17121) * Initial plan * Add canCreateChannel role policy to control channel creation Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * Add canCreateChannel to getUserPolicies return value Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * Add canCreateChannel translations for en-US and ja-JP Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * Add canCreateChannel to misskey-js rolePolicies array Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * Add frontend UI for canCreateChannel policy configuration Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * fix: build autogen files * 🎨 * migrate * fix: unnecessary changes to non-Japanese locales --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> Co-authored-by: kakkokari-gtyih <67428053+kakkokari-gtyih@users.noreply.github.com> * Update CHANGELOG.md (follow-up of misskey-dev#17121) [ci skip * refactor: パスキーまわりのライブラリを更新 (misskey-dev#17354) * refactor: パスキーまわりのライブラリを更新 * fix * chore(deps): update [github actions] update dependencies (major) (misskey-dev#17204) chore(deps): update [github actions] update dependencies Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update [github actions] update dependencies [ci skip] (misskey-dev#17370) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update [docker] update dependencies [ci skip] (misskey-dev#17369) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * deps: Update dependencies [ci skip] (misskey-dev#17368) * update deps * update deps * rollback got to v14 * Revert "rollback got to v14" This reverts commit 780abdf. * rollback rolldown to v1.0.0-rc.15 * fix(backend): Acquire lock of Announce object in announceNote even if it is from a relay actor (misskey-dev#17356) fix(backend): Always acquire lock of Announce object in announceNote * New Crowdin updates (misskey-dev#17324) * New translations ja-jp.yml (Russian) * New translations ja-jp.yml (Spanish) * New translations ja-jp.yml (English) * New translations ja-jp.yml (Thai) * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Korean) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * Bump version to 2026.5.1-beta.0 * enhance(frontend): MkNoteDetailedの公開範囲表示を改善 (misskey-dev#17374) * enhance(frontend): 노트 상세 페이지에서 공개 범위를 자세히 표시하도록 개선됨 * Update Changelog * fix --------- Co-authored-by: NoriDev <m1nthing2322@gmail.com> * New Crowdin updates (misskey-dev#17372) * New translations ja-jp.yml (Turkish) [ci skip] * New translations ja-jp.yml (Thai) [ci skip] * New translations ja-jp.yml (Thai) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * New translations ja-jp.yml (Chinese Simplified) [ci skip] * Update CHANGELOG.md * Release: 2026.5.1 --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> Co-authored-by: cm-ayf <cm.ayf2734@gmail.com> Co-authored-by: Evan Prodromou <evanp@users.noreply.github.com> Co-authored-by: danominium <37584143+danominium@users.noreply.github.com> Co-authored-by: FINEARCHS <133759614+FineArchs@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: mq1 <74494945+chan-mai@users.noreply.github.com> Co-authored-by: るちーか <7106976+EbiseLutica@users.noreply.github.com> Co-authored-by: Jaehong Kang <sinoru@me.com> Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com> Co-authored-by: bab <mashirohira@gmail.com> Co-authored-by: lqvp <183242690+lqvp@users.noreply.github.com> Co-authored-by: kami8 <55905116+kamiya-s-max@users.noreply.github.com> Co-authored-by: Wonwoo Choi <chwo9843@gmail.com> Co-authored-by: NoriDev <m1nthing2322@gmail.com>
m10i-0nyx
pushed a commit
to foundation0-link/misskey
that referenced
this pull request
May 10, 2026
…dev#17278) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.17.23→4.18.1GitHub Vulnerability Alerts
CVE-2026-2950
Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the
_.unsetand_.omitfunctions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such asObject.prototype,Number.prototype, andString.prototype.The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches
This issue is patched in 4.18.0.
Workarounds
None. Upgrade to the patched version.
CVE-2026-4800
Impact
The fix for CVE-2021-23337 added validation for the
variableoption in_.templatebut did not apply the same validation tooptions.importskey names. Both paths flow into the sameFunction()constructor sink.When an application passes untrusted input as
options.importskey names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.Additionally,
_.templateusesassignInWithto merge imports, which enumerates inherited properties viafor..in. IfObject.prototypehas been polluted by any other vector, the polluted keys are copied into the imports object and passed toFunction().Patches
Users should upgrade to version 4.18.0.
The fix applies two changes:
importsKeysagainst the existingreForbiddenIdentifierCharsregex (same check already used for thevariableoption)assignInWithwithassignWithwhen merging imports, so only own properties are enumeratedWorkarounds
Do not pass untrusted input as key names in
options.imports. Only use developer-controlled, static key names.lodash vulnerable to Prototype Pollution via array path bypass in
_.unsetand_.omitCVE-2026-2950 / GHSA-f23m-r3pf-42rh
More information
Details
Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the
_.unsetand_.omitfunctions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such asObject.prototype,Number.prototype, andString.prototype.The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches
This issue is patched in 4.18.0.
Workarounds
None. Upgrade to the patched version.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
lodash vulnerable to Code Injection via
_.templateimports key namesCVE-2026-4800 / GHSA-r5fr-rjxr-66jc
More information
Details
Impact
The fix for CVE-2021-23337 added validation for the
variableoption in_.templatebut did not apply the same validation tooptions.importskey names. Both paths flow into the sameFunction()constructor sink.When an application passes untrusted input as
options.importskey names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.Additionally,
_.templateusesassignInWithto merge imports, which enumerates inherited properties viafor..in. IfObject.prototypehas been polluted by any other vector, the polluted keys are copied into the imports object and passed toFunction().Patches
Users should upgrade to version 4.18.0.
The fix applies two changes:
importsKeysagainst the existingreForbiddenIdentifierCharsregex (same check already used for thevariableoption)assignInWithwithassignWithwhen merging imports, so only own properties are enumeratedWorkarounds
Do not pass untrusted input as key names in
options.imports. Only use developer-controlled, static key names.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
lodash/lodash (lodash)
v4.18.1Compare Source
Bugs
Fixes a
ReferenceErrorissue inlodashlodash-eslodash-amdandlodash.templatewhen using thetemplateandfromPairsfunctions from the modular builds. See #6167 (comment)These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.
There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:
lodash: lodash/lodash@4.18.0-npm...4.18.1-npmlodash-es: lodash/lodash@4.18.0-es...4.18.1-eslodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amdlodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packagesv4.18.0Compare Source
v4.18.0
Full Changelog: lodash/lodash@4.17.23...4.18.0
Security
_.unset/_.omit: Fixed prototype pollution viaconstructor/prototypepath traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Nowconstructorandprototypeare blocked unconditionally as non-terminal path keys, matchingbaseSet. Calls that previously returnedtrueand deleted the property now returnfalseand leave the target untouched._.template: Fixed code injection viaimportskeys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. Thevariableoption was validated againstreForbiddenIdentifierCharsbutimportsKeyswas left unguarded, allowing code injection via the sameFunction()constructor sink.importskeys containing forbidden identifier characters now throw"Invalid imports option passed into _.template".Docs
_.templatein threat model and API docs (#6099)lower > upperbehavior in_.random(#6115)_.compactjsdoc (#6090)lodash.*modular packagesDiff
We have also regenerated and published a select number of the
lodash.*modular packages.These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:
Configuration
📅 Schedule: (in timezone Asia/Tokyo)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.