Skip to content

chore(deps): bump lodash and commitizen in /plugins/magento2#4487

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/plugins/magento2/multi-321dbf182b
Open

chore(deps): bump lodash and commitizen in /plugins/magento2#4487
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/plugins/magento2/multi-321dbf182b

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 2, 2026
edited by cursor bot
Loading

Bumps lodash to 4.18.1 and updates ancestor dependency commitizen. These dependencies need to be updated together.

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates commitizen from 3.1.2 to 4.2.4

Release notes

Sourced from commitizen's releases.

v4.2.4

4.2.4 (2021-05-07)

Bug Fixes

  • deps: update find-node-modules to ^2.1.2 (#824) (e434901)

v4.2.3

4.2.3 (2021-01-15)

Bug Fixes

  • revert "use cz-conventional-changelog as default adapter (#778)" (#792) (f2fad87)

v4.2.2

4.2.2 (2020-10-20)

Bug Fixes

  • cli: Exit CLI with 1(as failed) when received SIGINT (#736) (95a20d4)

Features

  • Use cz-conventional-changelog as default adapter (#778) (e6b75cb). Fixes (#762)

v4.2.1

4.2.1 (2020-08-25)

Bug Fixes

v4.2.0

4.2.0 (2020-08-24)

Features

v4.1.5

4.1.5 (2020-08-21)

Bug Fixes

... (truncated)

Commits
  • e434901 fix(deps): update find-node-modules to ^2.1.2 (#824)
  • 12442c1 chore(release): use conventionalcommits preset in semantic-release (#793)
  • f2fad87 fix: revert "use cz-conventional-changelog as default adapter (#778)" (#792)
  • 2663ff4 chore(deps): update dependency uuid to v3.4.0 (#668)
  • d1481b9 chore(deps): update dependency semantic-release to v15.14.0 (#660)
  • 1e9dda8 chore(deps): bump node-fetch from 2.6.0 to 2.6.1 (#775)
  • 95a20d4 fix(cli): Exit CLI with 1(as failed) when received SIGINT (#736)
  • ba7eeb6 chore(renovate): Initial enhanced configuration (#786)
  • e6b75cb feat!: use cz-conventional-changelog as default adapter (#778)
  • a97e808 docs(readme): specify environment in code blocks (#781)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Primarily a dependency bump, but commitizen@4.2.4 (and transitive deps) requires Node >=10 while the plugin advertises Node >=6, which can break installs/dev tooling in older environments.

Overview
Updates the plugins/magento2 plugin’s JS dependencies by bumping lodash to 4.18.1 and commitizen to 4.2.4, with corresponding package-lock.json resolution changes.

This refresh pulls in new transitive dependency versions (including security-related lodash fixes) and updates the dev-tooling dependency graph used for commit workflows.

Written by Cursor Bugbot for commit c2174aa. This will update automatically on new commits. Configure here.

@dependabot
chore(deps): bump lodash and commitizen in /plugins/magento2
c2174aa 
Bumps [lodash](https://github.com/lodash/lodash) to 4.18.1 and updates ancestor dependency [commitizen](https://github.com/commitizen/cz-cli). These dependencies need to be updated together.


Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `commitizen` from 3.1.2 to 4.2.4
- [Release notes](https://github.com/commitizen/cz-cli/releases)
- [Commits](commitizen/cz-cli@v3.1.2...v4.2.4)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
- dependency-name: commitizen
  dependency-version: 4.2.4
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 2, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 2, 2026

⚠️ No Changeset found

Latest commit: c2174aa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@nx-cloud
Copy link
Copy Markdown

nx-cloud bot commented Apr 2, 2026
edited
Loading

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

To disable these notifications, a workspace admin can disable them in workspace settings.

View your CI Pipeline Execution ↗ for commit c2174aa

Command Status Duration Result
nx test @snippet/react ❌ Failed 3m 36s View ↗
nx test @e2e/angular-17 ✅ Succeeded 6m 35s View ↗
nx test @e2e/nuxt ✅ Succeeded 5m 39s View ↗
nx test @e2e/nextjs-sdk-next-app ✅ Succeeded 7m 14s View ↗
nx test @e2e/solid-start ✅ Succeeded 4m 15s View ↗
nx test @e2e/react-sdk-next-14-app ✅ Succeeded 5m 12s View ↗
nx test @e2e/react-sdk-next-15-app ✅ Succeeded 5m 7s View ↗
nx test @e2e/qwik-city ✅ Succeeded 7m 25s View ↗
Additional runs (38) ✅ Succeeded ... View ↗

☁️ Nx Cloud last updated this comment at 2026-04-02 14:44:52 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants