fix: bump underscore from 1.12.1 to 1.13.8

[mtrezza]

Bumps underscore from 1.12.1 to 1.13.8.

Closes #966

Changes

• 1.13.0: Added full ESM support, security policy, and funding information
• 1.13.1: Restored underscore.js alias in the GitHub repository
• 1.13.2: Fixed regression where _.sample and _.shuffle no longer worked on strings
• 1.13.3: Fixed ExtendScript compatibility issue
• 1.13.4: Fixed WebPack module federation compatibility issue
• 1.13.5: Added module sub-entry to package.json exports for better bundler support
• 1.13.6: Hotfix removing problematic postinstall script from package.json
• 1.13.7: Fixed error when environment overrides native DataView
• 1.13.8: Security fix for DoS via _.flatten and _.isEqual (CVE-2026-27601)

Breaking Changes

None

Code Changes Required

None — the upgrade is a drop-in replacement.

Summary by CodeRabbit

• Chores
  • Updated project dependencies to the latest versions for improved stability and performance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3a07ee8d-cc97-4b71-b739-6e9aad49136b

📥 Commits

Reviewing files that changed from the base of the PR and between e40c19a and 2c9698e.

📒 Files selected for processing (2)

• package-lock.json
• package.json

---

📝 Walkthrough

Walkthrough

Updated the underscore dependency from version 1.12.1 to 1.13.8 in both package.json and package-lock.json. This includes corresponding hash and integrity updates for the locked dependency.

Changes

Cohort / File(s)	Summary
Dependency Version Update package.json, package-lock.json	Bumped underscore from 1.12.1 to 1.13.8; updated resolved tarball URL and integrity checksum in lock file.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: updating the underscore dependency from 1.12.1 to 1.13.8, which is the primary and only modification in the changeset.
Linked Issues check	✅ Passed	The PR fully addresses the linked issue #966 objective to bump underscore from 1.12.1 to 1.13.8, including the critical security fix (CVE-2026-27601) and all intermediate improvements in 1.13.x releases.
Out of Scope Changes check	✅ Passed	All changes in the PR are scoped to the underscore dependency version bump; no unrelated modifications or out-of-scope changes are present in package.json or package-lock.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Checkov (3.2.510)

package.json

2026-03-30 02:06:21,652 [MainThread ] [ERROR] Template file not found: package.json
2026-03-30 02:06:21,655 [MainThread ] [ERROR] Template file not found: package.json
2026-03-30 02:06:21,656 [MainThread ] [ERROR] Template file not found: package.json
2026-03-30 02:06:21,718 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with package.json
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/ope

... [truncated 2547 characters] ...

[MainThread ] [WARNI] Secret scanning: could not process file package.json
2026-03-30 02:06:21,773 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}