Skip to content

Upgrade lodash to ^4.18.0 to fix CVE-2026-4800 and CVE-2026-2950#1621

Merged
chagong merged 1 commit intomainfrom
fix/upgrade-lodash-4.18.0
Apr 8, 2026
Merged

Upgrade lodash to ^4.18.0 to fix CVE-2026-4800 and CVE-2026-2950#1621
chagong merged 1 commit intomainfrom
fix/upgrade-lodash-4.18.0

Conversation

@chagong
Copy link
Copy Markdown
Contributor

@chagong chagong commented Apr 8, 2026
edited
Loading

Summary

Upgrades lodash from ^4.17.23 to ^4.18.0 to resolve two open Dependabot alerts.

Vulnerabilities Fixed

Alert CVE Severity Description
#45 CVE-2026-4800 High (CVSS 8.1) Code Injection via _.template imports key names (GHSA-r5fr-rjxr-66jc)
#44 CVE-2026-2950 Medium (CVSS 6.5) Prototype Pollution via array path bypass in _.unset and _.omit (GHSA-f23m-r3pf-42rh)

Changes

  • package.json: Updated lodash version constraint from ^4.17.23 to ^4.18.0
  • package-lock.json: Resolved to lodash@4.18.1

@chagong
Upgrade lodash to ^4.18.0 to fix CVE-2026-4800 and CVE-2026-2950
82c03de 
- CVE-2026-4800 (high): Code Injection via _.template imports key names (GHSA-r5fr-rjxr-66jc)
- CVE-2026-2950 (medium): Prototype Pollution via array path bypass in _.unset and _.omit (GHSA-f23m-r3pf-42rh)

Both vulnerabilities are fixed in lodash 4.18.0.
@chagong chagong merged commit 797e57c into main Apr 8, 2026
4 checks passed
@chagong chagong deleted the fix/upgrade-lodash-4.18.0 branch April 8, 2026 03:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wenytang-ms wenytang-ms wenytang-ms approved these changes

@testforstephen testforstephen Awaiting requested review from testforstephen testforstephen is a code owner

@jdneo jdneo Awaiting requested review from jdneo jdneo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chagong @wenytang-ms