From 39ddb068d5ec3e81536112699e249ecf91f9c665 Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Tue, 5 May 2026 18:07:37 +1000 Subject: [PATCH] chore(deps): bump lodash to 4.18.1 (CVE-2026-4800) Patches GHSA-r5fr-rjxr-66jc / CVE-2026-4800 (high): lodash <= 4.17.23 allows code injection via _.template when an attacker controls the imports option keys. Lodash is a transitive runtime dep here (pulled in by json-schema-to-typescript@15.0.4, which declares lodash: ^4.17.21). The existing root override "lodash": ">=4.17.23" accepted the vulnerable 4.17.23; bumping to ">=4.18.0" pushes the resolved version into the patched line (4.18.0+). The pnpm-lock.yaml change is intentionally a surgical hand-edit of the three lodash references (resolution + integrity, parent's dep ref, snapshot key) rather than a full regen. A regen with the override change ended up bumping ~30 unrelated transitives (drizzle-orm, @types/node, drizzle-kit, etc.) because pnpm took the chance to walk the rest of the lockfile too. Surgical edit keeps the blast radius to just lodash, and `pnpm install --frozen-lockfile` validates cleanly. --- package.json | 2 +- pnpm-lock.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index a95558a2..30a8904f 100644 --- a/package.json +++ b/package.json @@ -92,7 +92,7 @@ "test-exclude": "^7.0.1", "glob": ">=11.1.0", "qs": ">=6.14.1", - "lodash": ">=4.17.23", + "lodash": ">=4.18.0", "minimatch": ">=10.2.3", "@isaacs/brace-expansion": ">=5.0.1", "fast-xml-parser": ">=5.3.4", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 1974b5ee..98517b19 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -2412,8 +2412,8 @@ packages: lodash.startcase@4.4.0: resolution: {integrity: sha512-+WKqsK294HMSc2jEbNgpHpd0JfIBhp7rEV4aqXWqFr6AlXov+SlcgB1Fv01y2kGe3Gc8nMW7VA0SrGuSkRfIEg==} - lodash@4.17.23: - resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==} + lodash@4.18.1: + resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==} long@5.3.2: resolution: {integrity: sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA==} @@ -4863,7 +4863,7 @@ snapshots: '@types/lodash': 4.17.21 is-glob: 4.0.3 js-yaml: 4.1.1 - lodash: 4.17.23 + lodash: 4.18.1 minimist: 1.2.8 prettier: 3.7.4 tinyglobby: 0.2.15 @@ -4940,7 +4940,7 @@ snapshots: lodash.startcase@4.4.0: {} - lodash@4.17.23: {} + lodash@4.18.1: {} long@5.3.2: optional: true