Skip to content

Commit 56a8191

Browse files
andriy-sudoclaude
andriy-sudo
and
claude
authored
fix: bump lodash to 4.18.1 to remediate CVE-2026-4800 (#25)
lodash <4.18.0 allows code injection via unsanitised options.imports key names in _.template(). Fixed in 4.18.0. Resolves ENG-14004. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 83cb8c2 commit 56a8191

2 files changed

Lines changed: 6 additions & 6 deletions

File tree

zapier/package-lock.json

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

zapier/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,13 +9,13 @@
99
"dependencies": {
1010
"agentql-js-common": "^0.0.1",
1111
"zapier-platform-core": "^17",
12-
"lodash": ">=4.17.23"
12+
"lodash": ">=4.18.0"
1313
},
1414
"devDependencies": {
1515
"jest": "^29.6.0"
1616
},
1717
"overrides": {
18-
"lodash": ">=4.17.23",
18+
"lodash": ">=4.18.0",
1919
"minimatch": "^3.1.3",
2020
"picomatch": "^2.3.2"
2121
},

0 commit comments

Comments
 (0)