fix(deps): security update — 1 package(s) [risk: MED]

[aniket-shikhare-cstk]

Security Fix — SnykrAI

Verification

• Dependencies resolve
• Build passes (npm run build --if-present)
• Tests pass (npm test)

Risk: MEDIUM

Minor version upgrade. New features possible, breaking changes unlikely.

Vulnerabilities Addressed

HIGH: Arbitrary Code Injection

Detail	Value
Package	lodash@4.17.23
Dependency type	Direct
CVE	CVE-2026-4800
CWE	CWE-94
CVSS	8.6
Vulnerable range	<4.18.1
Fixed in	4.18.1
Snyk ID	SNYK-JS-LODASH-15869625
Published	2026-04-01

MEDIUM: Prototype Pollution

Detail	Value
Package	lodash@4.17.23
Dependency type	Direct
CVE	CVE-2026-2950
CWE	CWE-1321
CVSS	6.9
Vulnerable range	>=4.0.0 <4.18.1
Fixed in	4.18.1
Snyk ID	SNYK-JS-LODASH-15869619
Published	2026-04-01

Dependency Upgrades

Package	From	To	Risk	Reasoning
lodash	^4.17.23	^4.18.1	minor	Upgrading to 4.18.1 as specified in Snyk's fixed_in field, resolving both the high and medium severity vulnerabilitie...

Changelog & Impact Analysis

lodash (^4.17.23 → ^4.18.1)

Registry: https://www.npmjs.com/package/lodash?activeTab=versions

Files using this package (5):

• ./src/commands/cm/entries/migrate-html-rte.js
• ./src/lib/util/index.js
• ./test/commands/json-migration.test.js
• ./test/nock-setup.js
• ./test/utils/index.js

LLM Impact Analysis:

Likely safe (low confidence). No changelog is available for the lodash version range jump from ^4.17.23 to ^4.18.1, but lodash 4.x has a strong history of backward compatibility within the major version, making breakage unlikely.

No changelog available from registry.

Metadata

LLM Provider	anthropic
Strategy	conservative
Total issues	5
Fixable	2
Ecosystem	npm
Generated	2026-04-21 15:38 UTC

---

Note: Talisman pre-commit hook was skipped during commit. Please run Talisman locally on this branch before merging to ensure no secrets are flagged.

Automated by SnykrAI — draft PR, needs human review before merging.

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	7	25	✅ Passed
🟡 Medium Severity	0	13	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	0	90 / 365 days	✅ Passed
🔵 Low	0	0	180 / 365 days	✅ Passed

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

• Critical without fixes: 0
• High without fixes: 7
• Medium without fixes: 13
• Low without fixes: 0

✅ BUILD PASSED - All security checks passed

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	0	0	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	0	90 / 365 days	✅ Passed
🔵 Low	0	0	180 / 365 days	✅ Passed

✅ BUILD PASSED - All security checks passed