Skip to content

Bump lodash to >= 4.18.0 (security)#6308

Open
jencarlucci wants to merge 1 commit intomainfrom
security/bump-deps-vuln-192979
Open

Bump lodash to >= 4.18.0 (security)#6308
jencarlucci wants to merge 1 commit intomainfrom
security/bump-deps-vuln-192979

Conversation

@jencarlucci
Copy link
Copy Markdown
Contributor

@jencarlucci jencarlucci commented Apr 20, 2026

Security Dependency Updates

Dependency From To Vulnerability Advisory
lodash 4.17.21 4.18.1 Code Injection via _.template imports key names (CVE-2026-4800) GHSA-r5fr-rjxr-66jc

Details

  • lodash is a transitive dev dependency (via eslint-plugin-json)
  • Added an overrides entry in package.json to force lodash >= 4.18.0
  • This resolves Dependabot alert #18

Closes https://github.com/github/vuln-mgmt/issues/192979

@jencarlucci
Bump lodash to >= 4.18.0 via npm override
cc2829a 
Add npm override for lodash to resolve CVE-2026-4800 (Code Injection
via \_.template imports key names).

Closes github/vuln-mgmt#192979

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 20, 2026 17:46
Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Node.js dependency resolution to mitigate a lodash security advisory by forcing lodash to resolve to a patched version.

Changes:

  • Add an overrides rule in package.json to require lodash >= 4.18.0.
  • Update package-lock.json to resolve lodash to 4.18.1.
Show a summary per file
File Description
package.json Adds lodash override (and minor formatting change to eslintConfig).
package-lock.json Updates resolved lodash version to 4.18.1 and adjusts lock entries accordingly.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 1

Comment thread package.json
"eslint-plugin-json": "^3.1.0"
},
"overrides": {
"lodash": ">=4.18.0"
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The override range >=4.18.0 will allow future major versions (e.g. 5.x) if/when they’re published, which can introduce unexpected breakage even for transitive deps. Consider constraining this to the current major (e.g. ^4.18.1 or pinning 4.18.1) while still satisfying the advisory.

Suggested change
"lodash": ">=4.18.0"
"lodash": "^4.18.0"

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jencarlucci