fix: bump lodash to 4.18.1 (CVE-2026-4800) [ENG-14004]

[andriy-sudo]

Summary

Bumps lodash from 4.17.23 → 4.18.1 to remediate CVE-2026-4800.

Vulnerability: _.template does not validate options.imports key names, allowing code injection when untrusted input is passed as import keys. Fixed in 4.18.0 (validates keys via reForbiddenIdentifierChars + uses assignWith instead of assignInWith).

Severity: HIGH | SLA: 2026-05-03 | Linear: ENG-14004

Updated both dependencies and overrides in zapier/package.json to >=4.18.0.

Test plan

• CI passes
• Verify lodash@4.18.1 in zapier/package-lock.json

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

The lodash dependency constraint was updated in zapier/package.json. Both the dependencies section and the overrides section had their lodash version constraint changed from >=4.17.23 to >=4.18.0. This modification allows the project to use lodash version 4.18.0 or higher, whereas previously it was constrained to 4.17.23 or higher. No other dependencies, scripts, or code entities were altered.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping lodash to address CVE-2026-4800, which aligns with the changeset that updates lodash dependencies.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the CVE vulnerability, the version bump rationale, and the files modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/eng-14004-lodash-4.18.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@zapier/package.json`:
- Around line 12-18: Update the manifest-level lodash version constraint to a
fixed, auditable release instead of an open range: replace the "lodash" entries
currently set to ">=4.18.0" in both the dependencies block and the "overrides"
block with the exact version "4.18.1" (i.e., update the "lodash" value in
package.json for both places), then regenerate the lockfile (npm install / npm
ci) so package-lock.json reflects the pinned version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 31045621-6397-40da-9507-c75da8fbf4e9

📥 Commits

Reviewing files that changed from the base of the PR and between 83cb8c2 and aa2d25f.

⛔ Files ignored due to path filters (1)

• zapier/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• zapier/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Declared lodash constraints in zapier/package.json:"
python - <<'PY'
import json
p = json.load(open("zapier/package.json"))
print("dependencies.lodash =", p.get("dependencies", {}).get("lodash"))
print("overrides.lodash    =", p.get("overrides", {}).get("lodash"))
PY

echo
echo "Resolved lodash versions in zapier/package-lock.json (if present):"
if [ -f zapier/package-lock.json ]; then
  python - <<'PY'
import json
from collections import Counter

j = json.load(open("zapier/package-lock.json"))
versions = Counter()

# npm lockfile v2/v3 ("packages" map)
for pkg_path, meta in j.get("packages", {}).items():
    if not isinstance(meta, dict):
        continue
    if pkg_path.endswith("node_modules/lodash") or meta.get("name") == "lodash":
        v = meta.get("version")
        if v:
            versions[v] += 1

# fallback for older lockfiles ("dependencies" tree)
def walk(dep_map):
    if not isinstance(dep_map, dict):
        return
    for name, node in dep_map.items():
        if not isinstance(node, dict):
            continue
        if name == "lodash" and "version" in node:
            versions[node["version"]] += 1
        walk(node.get("dependencies", {}))

walk(j.get("dependencies", {}))

if versions:
    for v, c in sorted(versions.items()):
        print(f"{v}\t{c}")
else:
    print("No lodash entries found.")
PY
else
  echo "zapier/package-lock.json not found."
fi

Repository: tinyfish-io/agentql-integrations

Length of output: 266

---

Pin lodash to 4.18.1 instead of using open-ended >=4.18.0.

While package-lock.json currently resolves to 4.18.1, the manifest-level constraint >=4.18.0 is non-deterministic and obscures the security remediation intent. For CVE-2026-4800, pinning the exact version makes the fix auditable and prevents drift.

Proposed fix

   "dependencies": {
     "agentql-js-common": "^0.0.1",
     "zapier-platform-core": "^17",
-    "lodash": ">=4.18.0"
+    "lodash": "4.18.1"
   },
@@
   "overrides": {
-    "lodash": ">=4.18.0",
+    "lodash": "4.18.1",
     "minimatch": "^3.1.3",
     "picomatch": "^2.3.2"
   },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"lodash": ">=4.18.0"
	},
	"devDependencies": {
	"jest": "^29.6.0"
	},
	"overrides": {
	"lodash": ">=4.17.23",
	"lodash": ">=4.18.0",
	"lodash": "4.18.1"
	},
	"devDependencies": {
	"jest": "^29.6.0"
	},
	"overrides": {
	"lodash": "4.18.1",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@zapier/package.json` around lines 12 - 18, Update the manifest-level lodash
version constraint to a fixed, auditable release instead of an open range:
replace the "lodash" entries currently set to ">=4.18.0" in both the
dependencies block and the "overrides" block with the exact version "4.18.1"
(i.e., update the "lodash" value in package.json for both places), then
regenerate the lockfile (npm install / npm ci) so package-lock.json reflects the
pinned version.