From 82c03ded0bda86cf104acb7cfa8e3ab587ff32c1 Mon Sep 17 00:00:00 2001
From: Changyong Gong <chagon@microsoft.com>
Date: Wed, 8 Apr 2026 10:56:11 +0800
Subject: [PATCH] Upgrade lodash to ^4.18.0 to fix CVE-2026-4800 and
 CVE-2026-2950

- CVE-2026-4800 (high): Code Injection via _.template imports key names (GHSA-r5fr-rjxr-66jc)
- CVE-2026-2950 (medium): Prototype Pollution via array path bypass in _.unset and _.omit (GHSA-f23m-r3pf-42rh)

Both vulnerabilities are fixed in lodash 4.18.0.
---
 package-lock.json | 15 ++++++++-------
 package.json      |  2 +-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5017dcf..5cae9fd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -11,7 +11,7 @@
       "dependencies": {
         "compare-versions": "^4.1.4",
         "dotenv": "^16.4.5",
-        "lodash": "^4.17.23",
+        "lodash": "^4.18.0",
         "uuid": "^8.3.2",
         "vscode-extension-telemetry-wrapper": "^0.14.0",
         "vscode-languageclient": "6.0.0-next.9",
@@ -1780,9 +1780,10 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w=="
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "license": "MIT"
     },
     "node_modules/log-symbols": {
       "version": "4.1.0",
@@ -4601,9 +4602,9 @@
       }
     },
     "lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w=="
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q=="
     },
     "log-symbols": {
       "version": "4.1.0",
diff --git a/package.json b/package.json
index 70bcfe8..b9e9b7a 100644
--- a/package.json
+++ b/package.json
@@ -1365,7 +1365,7 @@
   "dependencies": {
     "compare-versions": "^4.1.4",
     "dotenv": "^16.4.5",
-    "lodash": "^4.17.23",
+    "lodash": "^4.18.0",
     "uuid": "^8.3.2",
     "vscode-extension-telemetry-wrapper": "^0.14.0",
     "vscode-languageclient": "6.0.0-next.9",