[Release-4.20] OCPBUGS-81615: Fix CVE-2026-CVE-2026-4800 in lodash

[MrSanketkumar]

Summary by CodeRabbit

• Chores
  • Bumped a development dependency and updated dependency resolution to enforce the newer version project-wide while preserving an existing security override for another package.
  • Ensures a more consistent development environment and access to recent fixes and improvements from the updated dependency.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-81615, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-81615 to depend on a bug targeting a version in 4.21.0, 4.21.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-81615, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.z) matches configured target version for branch (4.20.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-81620 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-81620 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4e31453a-0dd5-423b-b2bd-f02dbfb56894

📥 Commits

Reviewing files that changed from the base of the PR and between 2449ba8 and 6840a0e.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Walkthrough

Updated package.json: bumped the lodash devDependency from ^4.17.21 to ^4.18.1 and added/updated an overrides entry to force lodash to ^4.18.1 (existing serialize-javascript override left unchanged).

Changes

Cohort / File(s)	Summary
Dependency & Overrides Update package.json	Bumped devDependencies.lodash from ^4.17.21 to ^4.18.1 and extended overrides to pin lodash to ^4.18.1 (keeps existing serialize-javascript override).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: upgrading lodash to fix CVE-2026-4800, which matches the package.json dependency update from ^4.17.21 to ^4.18.1.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies a JavaScript/TypeScript Node.js project's lodash dependency, not Go/Ginkgo tests, making this check inapplicable.
Test Structure And Quality	✅ Passed	Ginkgo test code quality check is not applicable to this TypeScript/Node.js OpenShift networking console plugin with no Go files.
Microshift Test Compatibility	✅ Passed	This check is not applicable to this pull request. The custom check is designed to assess Ginkgo e2e tests (a Go testing framework), but this PR is a TypeScript/JavaScript React console plugin that only updates dependency versions. No new Ginkgo tests or any other tests are being added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates lodash dependency in package.json for a CVE fix. The repository is a Node.js/TypeScript console plugin with zero Go files and no Ginkgo e2e tests, making SNO compatibility checks inapplicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies package.json for lodash security fix; no deployment manifests, operator code, or controller files changed.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is not applicable to this pull request. The repository is a Node.js/TypeScript project with zero Go files, and this PR only updates JavaScript dependency versions in package.json.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR updates lodash dependency in package.json only; no new Ginkgo e2e tests added to this Node.js frontend project.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-81615, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.z) matches configured target version for branch (4.20.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-81620 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-81620 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Updated a development dependency to the latest version for improved stability and access to recent updates.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pcbailey]

/lgtm

[upalatucci]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrSanketkumar, upalatucci

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [upalatucci]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@MrSanketkumar: An error was encountered invalid pull identifier with 2 parts: "advisories/GHSA-35jh-r3h4-6jhm" for bug OCPBUGS-81615 on the Jira server at https://redhat.atlassian.net. No known errors were detected, please see the full error message for details.

Full error message.

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.Jira Issue OCPBUGS-81615: All pull requests linked via external trackers have merged:

• openshift/networking-console-plugin#399

Jira Issue OCPBUGS-81615 has been moved to the MODIFIED state.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Bumped a development dependency and updated dependency resolution to enforce the newer version project-wide while preserving an existing security override for another package.
• Ensures a more consistent development environment and access to recent fixes and improvements from the updated dependency.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.