Skip to content

fix(security): bump lodash 4.17.23 → 4.18.1 in examples/js (ENG-14277)#150

Merged
KateZhang98 merged 1 commit intomainfrom
andriy/ENG-14277-fix-lodash-cve-2026-4800
Apr 14, 2026
Merged

fix(security): bump lodash 4.17.23 → 4.18.1 in examples/js (ENG-14277)#150
KateZhang98 merged 1 commit intomainfrom
andriy/ENG-14277-fix-lodash-cve-2026-4800

Conversation

@andriy-sudo
Copy link
Copy Markdown
Contributor

@andriy-sudo andriy-sudo commented Apr 14, 2026

Vulnerability Fixes

Package Old New Advisory CVSS Ticket Status
lodash 4.17.23 4.18.1 GHSA-r5fr-rjxr-66jc (CVE-2026-4800) High ENG-14277 ✅ Fixed

Changes

  • examples/js/package.json: adds "lodash": "^4.18.0" to overrides (transitive dep)
  • examples/js/package-lock.json: regenerated — lodash resolved to 4.18.1

Supersedes Dependabot PR for alert #39.

Changelog impact summary
Package Old New Classification Key changes
lodash 4.17.23 4.18.1 Patch/security GHSA-r5fr-rjxr-66jc code injection fix for _.template — no API changes; examples only, not application code

@andriy-sudo @claude
fix(security): bump lodash 4.17.23 → 4.18.1 in examples/js (ENG-14277)
226d47b 
Adds overrides entry to block GHSA-r5fr-rjxr-66jc (CVE-2026-4800, CVSS HIGH):
lodash _.template code injection via options.imports key names, fixed in 4.18.0.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 14, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2751d9db-0fe9-46e5-99b3-919e94d1d724

📥 Commits

Reviewing files that changed from the base of the PR and between 015a918 and 226d47b.

⛔ Files ignored due to path filters (1)
  • examples/js/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • examples/js/package.json
📝 Walkthrough

Walkthrough

The change adds a new overrides field to examples/js/package.json that pins the lodash package to version ^4.18.0. This entry does not modify any existing package dependencies, scripts, or override values. The modification is a single line addition to the package configuration file.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The pull request title clearly and specifically describes the main change: bumping lodash from 4.17.23 to 4.18.1 in examples/js to fix a security vulnerability.
Description check ✅ Passed The pull request description is directly related to the changeset, providing context about the vulnerability being fixed, the version bump, and the specific files modified.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/ENG-14277-fix-lodash-cve-2026-4800

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo requested a review from KateZhang98 April 14, 2026 15:45
@andriy-sudo
Copy link
Copy Markdown
Contributor Author

andriy-sudo commented Apr 14, 2026

@KateZhang98 — SPOC review request. Reviewer assignment API returned empty (team-access-only repo). Please review and approve when ready.

@KateZhang98 KateZhang98 merged commit 0706439 into main Apr 14, 2026
4 checks passed
@KateZhang98 KateZhang98 deleted the andriy/ENG-14277-fix-lodash-cve-2026-4800 branch April 14, 2026 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KateZhang98 KateZhang98 KateZhang98 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andriy-sudo @KateZhang98