Skip to content

fix(deps): update dependency lodash to v4.17.23 [security] #7885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
renovate merged 1 commit into from
Jan 22, 2026
Merged

fix(deps): update dependency lodash to v4.17.23 [security] #7885

renovate merged 1 commit into from
Jan 22, 2026
+62 −5

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 21, 2026

This PR contains the following updates:

Package Change Age Confidence
lodash (source) 4.17.214.17.23 age confidence

GitHub Vulnerability Alerts

CVE-2025-13465

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Release Notes

lodash/lodash (lodash)

v4.17.23

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner January 21, 2026 23:12
@renovate renovate bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jan 21, 2026
@renovate renovate bot enabled auto-merge (squash) January 21, 2026 23:12
@github-actions
Copy link

github-actions bot commented Jan 21, 2026

📊 Benchmark results

Comparing with c0db1c6

  • Dependency count: 1,052 (no change)
  • Package size: 317 MB ⬇️ 0.00% decrease vs. c0db1c6
  • Number of ts-expect-error directives: 366 (no change)

@serhalp serhalp added the automerge Add to Kodiak auto merge queue label Jan 22, 2026
@serhalp serhalp self-assigned this Jan 22, 2026
@renovate renovate bot merged commit e0fe8dc into main Jan 22, 2026
110 of 113 checks passed
@renovate renovate bot deleted the renovate/npm-lodash-vulnerability branch January 22, 2026 13:46
@token-generator-app token-generator-app bot mentioned this pull request Jan 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

@serhalp serhalp

Labels

automerge Add to Kodiak auto merge queue dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@serhalp