Skip to content

release-26.2: ui: bump lodash, immer, elliptic, and bn.js for security fixes#169339

Open
dhartunian wants to merge 1 commit intocockroachdb:release-26.2from
dhartunian:backport26.2-169188
Open

release-26.2: ui: bump lodash, immer, elliptic, and bn.js for security fixes#169339
dhartunian wants to merge 1 commit intocockroachdb:release-26.2from
dhartunian:backport26.2-169188

Conversation

@dhartunian
Copy link
Copy Markdown
Collaborator

@dhartunian dhartunian commented Apr 29, 2026

Backport 1/1 commits from #169188.

/cc @cockroachdb/release

Bump several UI dependencies to address known CVEs flagged by the
security team:

lodash and elliptic were already pinned via pnpm overrides; this updates
those pins. immer and bn.js overrides are new. The bn.js override uses
version-scoped keys (bn.js@^4 and bn.js@^5) to bump both major
version lines independently.

Release justification: security patch: CVE fixes for UI dependencies (lodash, immer, elliptic, bn.js)

@dhartunian @roachdev-claude
ui: bump lodash, immer, elliptic, and bn.js for security fixes
f5ed525 
Bump several UI dependencies to address known CVEs:

- lodash 4.17.20 → 4.18.1 (GHSA-f23m-r3pf-42rh, prototype pollution)
- immer 8.0.1/9.0.3 → 9.0.21 (CVE-2021-23436, CVE-2021-3757,
  prototype pollution)
- elliptic 6.5.4 → 6.6.1 (CVE-2024-42459, CVE-2024-42460,
  CVE-2024-42461, CVE-2024-48948, CVE-2024-48949, CVE-2025-14505)
- bn.js 4.12.0/5.2.1 → 4.12.3/5.2.3 (CVE-2026-2739, infinite loop
  via maskn(0))

Resolves: cockroachdb#168281
Resolves: cockroachdb#168548
Resolves: cockroachdb#168549
Resolves: cockroachdb#168550
Epic: none

Release note (security update): Bumped several frontend dependencies
to address known CVEs: lodash to 4.18.1, immer to 9.0.21, elliptic
to 6.6.1, and bn.js to 4.12.3/5.2.3.

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
@dhartunian dhartunian requested a review from a team as a code owner April 29, 2026 14:29
@dhartunian dhartunian requested review from kyle-a-wong and removed request for a team April 29, 2026 14:29
@trunk-io
Copy link
Copy Markdown
Contributor

trunk-io Bot commented Apr 29, 2026

Merging to release-26.2 in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

@blathers-crl
Copy link
Copy Markdown

blathers-crl Bot commented Apr 29, 2026

Thanks for opening a backport.

Before merging, please confirm that the change does not break backwards compatibility and otherwise complies with the backport policy. Include a brief release justification in the PR description explaining why the backport is appropriate. All backports must be reviewed by the TL for the owning area. While the stricter LTS policy does not yet apply, please exercise judgment and consider gating non-critical changes behind a disabled-by-default feature flag when appropriate.

@blathers-crl blathers-crl Bot added backport Label PR's that are backports to older release branches T-observability labels Apr 29, 2026
@cockroach-teamcity
Copy link
Copy Markdown
Member

cockroach-teamcity commented Apr 29, 2026
edited
Loading

This change is Reviewable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kyle-a-wong kyle-a-wong Awaiting requested review from kyle-a-wong kyle-a-wong is a code owner automatically assigned from cockroachdb/obs-prs

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport Label PR's that are backports to older release branches T-observability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dhartunian @cockroach-teamcity