Skip to content

fix: Bump lodash and lodash-es to 4.18 for dependabot alerts.#385

Merged
nedseb merged 1 commit intomainfrom
fix/dependabot-alerts
Apr 13, 2026
Merged

fix: Bump lodash and lodash-es to 4.18 for dependabot alerts.#385
nedseb merged 1 commit intomainfrom
fix/dependabot-alerts

Conversation

@nedseb
Copy link
Copy Markdown
Contributor

@nedseb nedseb commented Apr 13, 2026

Summary

Resolves all 5 open Dependabot alerts on package-lock.json:

# Severity Package Vuln Fix
14 High lodash-es Code injection via _.template 4.18.0
15 Medium lodash-es Prototype pollution via _.unset/_.omit 4.18.0
16 Medium lodash Prototype pollution via _.unset/_.omit 4.18.0
17 High lodash Code injection via _.template 4.18.0
4 Medium picomatch Method injection in POSIX classes 4.0.4

Changes

Updated npm overrides in package.json:

"overrides": {
  "picomatch": "^4.0.4",
  "lodash": "^4.18.0",      // was ^4.17.22
  "lodash-es": "^4.18.0",   // new
  "tmp": "^0.2.4",
  "brace-expansion": "^2.0.3"
}

The previous override ^4.17.22 was not strict enough to force the patched 4.18.0 release. Adding an explicit lodash-es override (it was previously implicit via lodash).

picomatch ^4.0.4 was already in place — Dependabot will close that alert automatically.

Regenerated package-lock.json via npm install.

Test plan

  • npm install succeeds with new overrides
  • make test — 349 mock tests pass
  • npm audit — only 2 transitive vulns remain (in node_modules/npm/node_modules/, bundled in npm 11.12.1 itself, not actionable from this project)

Note

Two additional vulns are reported by npm audit inside node_modules/npm/node_modules/ (brace-expansion and picomatch). These are bundled inside the npm package itself (a transitive dep of @semantic-release/npm). They cannot be fixed from this project — npm 11.12.1 is the latest version. They are not flagged by Dependabot since they live in a nested node_modules.

Copilot AI review requested due to automatic review settings April 13, 2026 02:55
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates npm overrides and the lockfile to remediate Dependabot-reported vulnerabilities by forcing patched lodash/lodash-es (and maintaining the existing picomatch override) across the dependency tree.

Changes:

  • Bump lodash override to ^4.18.0 and add lodash-es override ^4.18.0.
  • Regenerate package-lock.json so lodash and lodash-es resolve to 4.18.1.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Updates overrides to enforce patched lodash versions (and explicitly adds lodash-es).
package-lock.json Updates resolved lodash / lodash-es tarballs + integrity to 4.18.1.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@nedseb nedseb merged commit f867a08 into main Apr 13, 2026
14 checks passed
@nedseb nedseb deleted the fix/dependabot-alerts branch April 13, 2026 02:57
semantic-release-updater Bot pushed a commit that referenced this pull request Apr 13, 2026
@semantic-release-bot
chore(release): v0.16.5. [skip ci]
c375fad 
## [0.16.5](v0.16.4...v0.16.5) (2026-04-13)

### Bug Fixes

* Bump lodash and lodash-es to 4.18 to address dependabot alerts. ([#385](#385)) ([f867a08](f867a08))
@semantic-release-updater
Copy link
Copy Markdown

semantic-release-updater Bot commented Apr 13, 2026

🎉 This PR is included in version 0.16.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@nedseb nedseb

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nedseb