From eefe37acfc47ad055bc8dcbe1ae678c23b353434 Mon Sep 17 00:00:00 2001
From: Puja <puja.singh@staffbase.com>
Date: Thu, 30 Apr 2026 14:31:28 +0200
Subject: [PATCH] fix: upgrade lodash via resolutions to patch cve-2026-4800

adds yarn resolutions for lodash >=4.18.0 to fix GHSA-r5fr-rjxr-66jc.
lodash is a transitive dev dependency pinned to 4.18.1 in the lockfile.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 package.json | 1 +
 yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/package.json b/package.json
index 98acfe4..256f2e2 100644
--- a/package.json
+++ b/package.json
@@ -93,6 +93,7 @@
   },
   "resolutions": {
     "cross-spawn": "^7.0.6",
+    "lodash": "^4.18.0",
     "minimatch": "^5.1.8",
     "wrap-ansi": "^7.0.0",
     "semver": "^7.3.2"
diff --git a/yarn.lock b/yarn.lock
index 05ef8df..360992a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4439,10 +4439,10 @@ lodash.upperfirst@^4.3.1:
   resolved "https://registry.yarnpkg.com/lodash.upperfirst/-/lodash.upperfirst-4.3.1.tgz#1365edf431480481ef0d1c68957a5ed99d49f7ce"
   integrity sha512-sReKOYJIJf74dhJONhU4e0/shzi1trVbSWDOhKYE5XV2O+H7Sb2Dihwuc7xWxVl+DgFPyTqIN3zMfT9cq5iWDg==
 
-lodash@^4.17.15, lodash@^4.17.21, lodash@~4.17.21:
-  version "4.17.21"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
-  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+lodash@^4.17.15, lodash@^4.17.21, lodash@^4.18.0, lodash@~4.17.21:
+  version "4.18.1"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.18.1.tgz#ff2b66c1f6326d59513de2407bf881439812771c"
+  integrity sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==
 
 loglevel@^1.8.1:
   version "1.9.2"