Skip to content

fix(security): bump lodash to ^4.18.0 (GHSA-f23m-r3pf-42rh, GHSA-r5fr-rjxr-66jc, ENG-14276)#46

Merged
andriy-sudo merged 1 commit into
mainfrom
andriy/ENG-14276-bump-lodash-4.18.0
Apr 13, 2026
Merged

fix(security): bump lodash to ^4.18.0 (GHSA-f23m-r3pf-42rh, GHSA-r5fr-rjxr-66jc, ENG-14276)#46
andriy-sudo merged 1 commit into
mainfrom
andriy/ENG-14276-bump-lodash-4.18.0

Conversation

@andriy-sudo
Copy link
Copy Markdown
Contributor

@andriy-sudo andriy-sudo commented Apr 13, 2026

Summary

Package Old New Advisory CVSS Status
lodash 4.17.23 4.18.1 GHSA-f23m-r3pf-42rh 6.5 ✅ Fixed
lodash 4.17.23 4.18.1 GHSA-r5fr-rjxr-66jc 8.1 ✅ Fixed

lodash is a dev-only transitive dep pulled in by @trivago/prettier-plugin-sort-imports. Added "lodash": "^4.18.0" override. Lock resolves to 4.18.1.

Changelog impact summary
Package Old New Classification Key changes
lodash 4.17.23 4.18.1 Security Prototype pollution + code injection fixes; dev dep only, no production impact

@andriy-sudo @claude
fix(security): bump lodash to ^4.18.0 (GHSA-f23m-r3pf-42rh, GHSA-r5fr…
4c3b4f9 
…-rjxr-66jc, ENG-14276)

lodash 4.17.23 pulled in via @trivago/prettier-plugin-sort-imports (dev dep).
Override pins to ^4.18.0 (first patched release). Lock resolves to 4.18.1.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 13, 2026

Warning

Rate limit exceeded

@andriy-sudo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 7 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 0 minutes and 7 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d036a09c-061e-4083-9872-6fa1e60b0f58

📥 Commits

Reviewing files that changed from the base of the PR and between 25b006e and 4c3b4f9.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/ENG-14276-bump-lodash-4.18.0

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo requested a review from colriot April 13, 2026 13:23
@andriy-sudo
Copy link
Copy Markdown
Contributor Author

andriy-sudo commented Apr 13, 2026

@colriot — SPOC review request. All CI green. Please review and approve when ready.

@andriy-sudo andriy-sudo merged commit 5fcfdc7 into main Apr 13, 2026
4 checks passed
@andriy-sudo andriy-sudo deleted the andriy/ENG-14276-bump-lodash-4.18.0 branch April 13, 2026 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@colriot colriot colriot approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andriy-sudo @colriot