From 4c3b4f9e1d621a1f67c62dcc90419260347fe7b0 Mon Sep 17 00:00:00 2001
From: Andriy Lysyuk <andriy@tinyfish.io>
Date: Mon, 13 Apr 2026 15:21:51 +0200
Subject: [PATCH] fix(security): bump lodash to ^4.18.0 (GHSA-f23m-r3pf-42rh,
 GHSA-r5fr-rjxr-66jc, ENG-14276)

lodash 4.17.23 pulled in via @trivago/prettier-plugin-sort-imports (dev dep).
Override pins to ^4.18.0 (first patched release). Lock resolves to 4.18.1.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package-lock.json | 6 +++---
 package.json      | 3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 2e80dee1..702f26d6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2456,9 +2456,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
       "dev": true,
       "license": "MIT"
     },
diff --git a/package.json b/package.json
index 08996024..01b0d53a 100644
--- a/package.json
+++ b/package.json
@@ -55,7 +55,8 @@
     },
     "flatted": "^3.4.2",
     "path-to-regexp": "^8.4.0",
-    "picomatch": "^4.0.4"
+    "picomatch": "^4.0.4",
+    "lodash": "^4.18.0"
   },
   "keywords": [
     "mcp",