Skip to content

Upgrade lodash 4.17.21 → 4.18.1 (CVE-2026-4800)#56603

Closed
christophpurrer wants to merge 1 commit intofacebook:mainfrom
christophpurrer:export-D102273666
Closed

Upgrade lodash 4.17.21 → 4.18.1 (CVE-2026-4800)#56603
christophpurrer wants to merge 1 commit intofacebook:mainfrom
christophpurrer:export-D102273666

Conversation

@christophpurrer
Copy link
Copy Markdown
Contributor

@christophpurrer christophpurrer commented Apr 24, 2026

Summary:
Upgrade transitive dependency lodash from 4.17.21 to 4.18.1 to remediate CVE-2026-4800 (Improper Control of Generation of Code / Code Injection).

  • Added "lodash": "4.18.1" to resolutions in package.json to force all lodash ranges (including ~4.17.15) to resolve to 4.18.1
  • Updated yarn.lock entry to resolve all lodash ranges to 4.18.1

Without the resolution override, the ~4.17.15 range would stay at 4.17.21 (vulnerable) since ~ only allows patch-level updates and 4.18.1 is a minor bump.

Changelog: [Internal]

Differential Revision: D102273666

@sandeep3028 @facebook-github-bot
Upgrade lodash 4.17.21 → 4.18.1 (CVE-2026-4800)
f409ccc 
Summary:
Upgrade transitive dependency lodash from 4.17.21 to 4.18.1 to remediate CVE-2026-4800 (Improper Control of Generation of Code / Code Injection).

- Added `"lodash": "4.18.1"` to `resolutions` in package.json to force all lodash ranges (including `~4.17.15`) to resolve to 4.18.1
- Updated yarn.lock entry to resolve all lodash ranges to 4.18.1

Without the resolution override, the `~4.17.15` range would stay at 4.17.21 (vulnerable) since `~` only allows patch-level updates and 4.18.1 is a minor bump.

Changelog: [Internal]

Differential Revision: D102273666
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 24, 2026
@meta-codesync
Copy link
Copy Markdown

meta-codesync Bot commented Apr 24, 2026

@christophpurrer has exported this pull request. If you are a Meta employee, you can view the originating Diff in D102273666.

@meta-codesync meta-codesync Bot closed this in 11d894d Apr 24, 2026
@meta-codesync
Copy link
Copy Markdown

meta-codesync Bot commented Apr 24, 2026

This pull request has been merged in 11d894d.

@facebook-github-tools facebook-github-tools Bot added the Merged This PR has been merged. label Apr 24, 2026
@react-native-bot
Copy link
Copy Markdown
Collaborator

react-native-bot commented Apr 24, 2026

This pull request was successfully merged by @sandeep3028 in 11d894d

When will my fix make it into a release? | How to file a pick request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. fb-exported Merged This PR has been merged. meta-exported p: Facebook Partner: Facebook Partner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@christophpurrer @react-native-bot @sandeep3028