Skip to content

fix: bump lodash to ^4.18.1 (CVE-2026-4800)#301

Closed
Copilot wants to merge 2 commits intomainfrom
copilot/fix-lodash-vulnerability
Closed

fix: bump lodash to ^4.18.1 (CVE-2026-4800)#301
Copilot wants to merge 2 commits intomainfrom
copilot/fix-lodash-vulnerability

Conversation

Copy link
Copy Markdown

Copilot AI commented Apr 30, 2026
edited
Loading

CVE-2026-4800 (GHSA-r5fr-rjxr-66jc) is a code-injection vulnerability in lodash's _.template via the imports key, patched in 4.18.0. Lodash 4.17.21–4.17.23 remain vulnerable.

Changes

  • package.json — Added "lodash": "^4.18.1" to the resolutions field. Lodash is a transitive-only dependency, so a resolution override is the correct forcing mechanism.
  • yarn.lock — Regenerated; all transitive consumers now resolve to lodash 4.18.1.
"resolutions": {
  "cross-spawn": "^7.0.6",
  "lodash": "^4.18.1",
  ...
}
Original prompt

fix: bump lodash to >=4.18.0 (CVE-2026-4800)

CVE-2026-4800 / GHSA-r5fr-rjxr-66jc: code injection via _.template imports key. Patched in 4.18.0.

The currently open dependabot PR #281 (lodash 4.17.21 -> 4.17.23) is insufficient — 4.17.23 is still listed as vulnerable.

Steps:

  1. Close PR chore(deps): bump lodash from 4.17.21 to 4.17.23 #281.
  2. yarn why lodash (or npm equivalent) — identify whether lodash is a direct dep, devDep, or transitive.
  3. If direct: bump to ^4.18.1 in package.json.
  4. If transitive: add "lodash": "4.18.1" to root resolutions (or overrides for npm).
  5. yarn install, run tests, commit lockfile.
  6. Verify: yarn why lodash shows only >= 4.18.0.

Acceptance: CVE-2026-4800 cleared in next scan.

fix: bump lodash to ^4.18.1 to resolve CVE-2026-4800
e5aec1b 
Co-authored-by: GitHub Copilot <copilot@noreply.github.com>
Copilot AI changed the title [WIP] Fix: bump lodash to version 4.18.1 for CVE-2026-4800 fix: bump lodash to ^4.18.1 (CVE-2026-4800) Apr 30, 2026
Copilot AI requested a review from Ninerian April 30, 2026 07:17
@Ninerian Ninerian mentioned this pull request Apr 30, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

size-limit report 📦

Path Size
src/main.js 6.71 KB (0%)

@Ninerian Ninerian marked this pull request as ready for review April 30, 2026 12:27
@Ninerian Ninerian requested a review from a team as a code owner April 30, 2026 12:27
@Ninerian Ninerian requested a review from PujaSingh7655 April 30, 2026 12:27
@Ninerian
Copy link
Copy Markdown
Contributor

Ninerian commented Apr 30, 2026

@dependabot rebase

@Ninerian
Copy link
Copy Markdown
Contributor

Ninerian commented Apr 30, 2026

main already contains 'lodash': '^4.18.0' in resolutions — this PR is superseded.

@Ninerian Ninerian closed this Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ninerian Ninerian Awaiting requested review from Ninerian

@PujaSingh7655 PujaSingh7655 Awaiting requested review from PujaSingh7655 PujaSingh7655 is a code owner automatically assigned from Staffbase/need-for-speed-devs

1 more reviewer

@staffmariusz staffmariusz staffmariusz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Ninerian Ninerian

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ninerian @staffmariusz