Skip to content

Commit d865635

Browse files
chore(dev-deps): update dependency lodash to v4.17.23 [security] (#613)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Adoption](https://docs.renovatebot.com/merge-confidence/) | [Passing](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [lodash](https://lodash.com/) ([source](https://redirect.github.com/lodash/lodash)) | [`4.17.21` → `4.17.23`](https://renovatebot.com/diffs/npm/lodash/4.17.21/4.17.23) | ![age](https://developer.mend.io/api/mc/badges/age/npm/lodash/4.17.23?slim=true) | ![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/lodash/4.17.23?slim=true) | ![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/lodash/4.17.21/4.17.23?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/lodash/4.17.21/4.17.23?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2025-13465](https://redirect.github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) ### Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. ### Patches This issue is patched on 4.17.23. --- ### Release Notes <details> <summary>lodash/lodash (lodash)</summary> ### [`v4.17.23`](https://redirect.github.com/lodash/lodash/compare/0082be44648961341600e879042f74cd29d65d05...4.17.23) [Compare Source](https://redirect.github.com/lodash/lodash/compare/4.17.21...4.17.23) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/RebeccaStevens/deepmerge-ts). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44NS4xIiwidXBkYXRlZEluVmVyIjoiNDIuODUuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiOmJsdWVfaGVhcnQ6IiwiVHlwZTogTWFpbnRlbmFuY2UiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent a380ece commit d865635

File tree

3 files changed

+16
-11
lines changed

3 files changed

+16
-11
lines changed

benchmark/pnpm-lock.yaml

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,7 @@
127127
"jsonc-eslint-parser": "2.4.0",
128128
"knip": "5.62.0",
129129
"lint-staged": "16.1.2",
130-
"lodash": "4.17.21",
130+
"lodash": "4.17.23",
131131
"markdownlint-cli2": "0.18.1",
132132
"prettier": "3.6.2",
133133
"rimraf": "6.0.1",

pnpm-lock.yaml

Lines changed: 11 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)