Skip to content

[release/9.0] Fix lodash CVE by adding npm override for >=4.18.0#66224

Merged
wtgodbe merged 1 commit into
dotnet:release/9.0from
wtgodbe:wtgodbe/lodash9
Apr 8, 2026
Merged

[release/9.0] Fix lodash CVE by adding npm override for >=4.18.0#66224
wtgodbe merged 1 commit into
dotnet:release/9.0from
wtgodbe:wtgodbe/lodash9

Conversation

@wtgodbe
Copy link
Copy Markdown
Member

@wtgodbe wtgodbe commented Apr 8, 2026

No description provided.

@wtgodbe
Fix lodash CVE by adding npm override for >=4.18.0
5721cea 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 8, 2026 17:38
@wtgodbe wtgodbe added the tell-mode Indicates a PR which is being merged during tell-mode label Apr 8, 2026
@dotnet-policy-service dotnet-policy-service Bot added this to the 9.0.x milestone Apr 8, 2026
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repo’s npm dependency resolution to address a lodash security advisory by introducing an npm overrides constraint and updating the lockfile’s resolved lodash package version.

Changes:

  • Add a root-level npm overrides entry to force lodash to a secure version range.
  • Update package-lock.json to reflect the new resolved lodash version.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Adds an overrides.lodash constraint intended to mitigate the lodash CVE across workspaces.
package-lock.json Updates the resolved lodash package version in the lockfile to match the override.

@github-actions github-actions Bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Apr 8, 2026
@wtgodbe wtgodbe merged commit b3befbc into dotnet:release/9.0 Apr 8, 2026
30 checks passed
@dotnet-policy-service dotnet-policy-service Bot modified the milestones: 9.0.x, 9.0.16 Apr 8, 2026
This was referenced May 12, 2026
Open
Open
Closed
Open
Open
Closed
Open
Open
Open
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically tell-mode Indicates a PR which is being merged during tell-mode

Projects

None yet

Milestone

9.0.16

Development

Successfully merging this pull request may close these issues.

2 participants

@wtgodbe