Skip to content

[release/10.0] Fix lodash CVE by adding npm override for >=4.18.0#66223

Merged
wtgodbe merged 2 commits intodotnet:release/10.0from
wtgodbe:wtgodbe/lodash10
Apr 9, 2026
Merged

[release/10.0] Fix lodash CVE by adding npm override for >=4.18.0#66223
wtgodbe merged 2 commits intodotnet:release/10.0from
wtgodbe:wtgodbe/lodash10

Conversation

@wtgodbe
Copy link
Copy Markdown
Member

@wtgodbe wtgodbe commented Apr 8, 2026

No description provided.

@wtgodbe
Fix lodash CVE by adding npm override for >=4.18.0
749263e 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 8, 2026 17:37
@wtgodbe wtgodbe added the tell-mode Indicates a PR which is being merged during tell-mode label Apr 8, 2026
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to remediate a lodash security advisory on the release/10.0 branch by forcing lodash to a patched version via npm overrides and updating the lockfile accordingly.

Changes:

  • Add a root-level npm overrides entry intended to require a patched lodash version.
  • Update package-lock.json to reflect the new lodash resolution.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Adds a root overrides constraint for lodash to address a CVE.
package-lock.json Updates the resolved lodash package version to match the override intent.

@github-actions github-actions Bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Apr 8, 2026
@build-analysis build-analysis Bot mentioned this pull request Apr 9, 2026
Open
3 tasks
@wtgodbe
Copy link
Copy Markdown
Member Author

wtgodbe commented Apr 9, 2026

Test failure unrelated: #66064

@wtgodbe wtgodbe merged commit 637a7f3 into dotnet:release/10.0 Apr 9, 2026
27 of 29 checks passed
@dotnet-policy-service dotnet-policy-service Bot added this to the 10.0.7 milestone Apr 9, 2026
@dotnet-maestro dotnet-maestro Bot mentioned this pull request Apr 9, 2026
Merged
@wtgodbe wtgodbe modified the milestones: 10.0.7, 10.0.8 Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically tell-mode Indicates a PR which is being merged during tell-mode

Projects

None yet

Milestone

10.0.8

Development

Successfully merging this pull request may close these issues.

2 participants

@wtgodbe