Skip to content

fix: upgrade lodash to 4.18.1 to patch CVE-2026-4800 (Dependabot #97)#302

Merged
PujaSingh7655 merged 1 commit intomainfrom
fix/dependabot-97-lodash-cve-2026-4800
Apr 30, 2026
Merged

fix: upgrade lodash to 4.18.1 to patch CVE-2026-4800 (Dependabot #97)#302
PujaSingh7655 merged 1 commit intomainfrom
fix/dependabot-97-lodash-cve-2026-4800

Conversation

@PujaSingh7655
Copy link
Copy Markdown
Contributor

@PujaSingh7655 PujaSingh7655 commented Apr 30, 2026

Summary

  • Adds "lodash": "^4.18.0" to the resolutions field in package.json to force all transitive dependents to use the patched version
  • Resolves Dependabot alert #97
  • yarn.lock now pins lodash to 4.18.1

Security Advisory

GHSA-r5fr-rjxr-66jc / CVE-2026-4800 — High severity
lodash versions >= 4.0.0, <= 4.17.23 are vulnerable to Code Injection via _.template imports key names. Untrusted input passed as options.imports key names flows into a Function() constructor sink, allowing arbitrary code execution at template compile time.

The fix (lodash 4.18.0+) validates importsKeys and replaces assignInWith with assignWith to avoid prototype pollution.

Impact

lodash is a transitive dev dependency only — it is not shipped in the production bundle. Risk is limited to the build/test environment.

Test plan

  • All 52 unit tests pass (yarn test-unit)
  • yarn.lock updated — lodash resolves to 4.18.1

🤖 Generated with Claude Code

@PujaSingh7655 @claude
fix: upgrade lodash via resolutions to patch cve-2026-4800
eefe37a 
adds yarn resolutions for lodash >=4.18.0 to fix GHSA-r5fr-rjxr-66jc.
lodash is a transitive dev dependency pinned to 4.18.1 in the lockfile.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@PujaSingh7655 PujaSingh7655 requested a review from a team as a code owner April 30, 2026 12:31
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

size-limit report 📦

Path Size
src/main.js 6.71 KB (0%)

@PujaSingh7655 PujaSingh7655 merged commit 8953c37 into main Apr 30, 2026
10 checks passed
@PujaSingh7655 PujaSingh7655 deleted the fix/dependabot-97-lodash-cve-2026-4800 branch April 30, 2026 12:34
@staffbase-actions
Copy link
Copy Markdown

staffbase-actions Bot commented Apr 30, 2026

🎉 This PR is included in version 3.1.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ninerian Ninerian Ninerian approved these changes

@staffmariusz staffmariusz Awaiting requested review from staffmariusz staffmariusz is a code owner automatically assigned from Staffbase/need-for-speed-devs

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PujaSingh7655 @Ninerian