Update dependency lodash to v4.18.1 [SECURITY]

[gardener-ci-robot]

This PR contains the following updates:

Package	Change	Age	Confidence
lodash (source)	4.17.23 → 4.18.1

GitHub Vulnerability Alerts

CVE-2026-2950

Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches

This issue is patched in 4.18.0.

Workarounds

None. Upgrade to the patched version.

CVE-2026-4800

Impact

The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches

Users should upgrade to version 4.18.0.

The fix applies two changes:

1. Validate importsKeys against the existing reForbiddenIdentifierChars regex (same check already used for the variable option)
2. Replace assignInWith with assignWith when merging imports, so only own properties are enumerated

Workarounds

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

---

Release Notes

lodash/lodash (lodash)

v4.18.1

Compare Source

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See #​6167 (comment)

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

v4.18.0

Compare Source

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#​6099)
• Document lower > upper behavior in _.random (#​6115)
• Fix quotes in _.compact jsdoc (#​6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

Summary by CodeRabbit

• Chores
  • Updated lodash dependency to version 4.18.1.

[petersutter]

/lgtm
/approve

[coderabbitai]

📝 Walkthrough

Walkthrough

The .pnp.cjs file's embedded Yarn Plug'n'Play runtime state has been updated to reference lodash version 4.18.1 instead of 4.17.23, updating version specifiers and cached package location paths accordingly.

Changes

Cohort / File(s)	Summary
Yarn PnP Configuration .pnp.cjs	Updated lodash dependency version from 4.17.23 to 4.18.1 across multiple dependency entries and package cache paths.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• holgerkoser
• grolu
• klocke-io

Poem

🐰 A version bump so clean and neat,
From 4.17 to 4.18 we greet,
Lodash hops to higher ground,
In the PnP config, new paths found! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is comprehensive and includes detailed information about the security vulnerabilities being addressed. However, it does not follow the repository's PR description template structure with required sections like 'What this PR does / why we need it', 'Which issue(s) this PR fixes', 'Special notes for your reviewer', and a properly formatted 'Release note' section.	Restructure the description to follow the template: add 'What this PR does' section, clearly state 'Which issue(s) this PR fixes', add 'Special notes for your reviewer', and include a properly formatted release note in the specified format.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: updating the lodash dependency to v4.18.1 and the [SECURITY] tag appropriately highlights the critical nature of the update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/npm-lodash-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: 862406686d0fead572668d3c46647860540b82f0

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: petersutter

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [petersutter]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

.pnp.cjs (1)

11347-11350: Ensure Yarn cache is regenerated properly.

Since .pnp.cjs is auto-generated by Yarn PnP, ensure that the Yarn cache (.yarn/cache/) has been properly updated and the new lodash package at the specified location (./.yarn/cache/lodash-npm-4.18.1-a64c3070ac-757228fc68.zip/) is present. If Renovate didn't regenerate the cache, run yarn install to update the PnP state and cache consistently.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pnp.cjs around lines 11347 - 11350, The .pnp.cjs entry for ["npm:4.18.1", {
"packageLocation":
"./.yarn/cache/lodash-npm-4.18.1-a64c3070ac-757228fc68.zip/node_modules/lodash/",
... }] indicates the Yarn PnP cache may be out of sync; to fix, regenerate the
Yarn PnP cache by running yarn install (or yarn --immutable if CI) locally so
.yarn/cache contains the referenced lodash zip, then commit the updated .pnp.cjs
and any changed cache artifacts; verify the packageLocation path and lodash
version (4.18.1) are present after the install before pushing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.pnp.cjs:
- Around line 11347-11350: The .pnp.cjs entry for ["npm:4.18.1", {
"packageLocation":
"./.yarn/cache/lodash-npm-4.18.1-a64c3070ac-757228fc68.zip/node_modules/lodash/",
... }] indicates the Yarn PnP cache may be out of sync; to fix, regenerate the
Yarn PnP cache by running yarn install (or yarn --immutable if CI) locally so
.yarn/cache contains the referenced lodash zip, then commit the updated .pnp.cjs
and any changed cache artifacts; verify the packageLocation path and lodash
version (4.18.1) are present after the install before pushing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 90f71827-301b-4825-bbf3-f48624f3131b

📥 Commits

Reviewing files that changed from the base of the PR and between 73c995f and f43e6c6.

⛔ Files ignored due to path filters (2)

• .yarn/cache/lodash-npm-4.18.1-a64c3070ac-757228fc68.zip is excluded by !**/.yarn/**, !**/*.zip
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• .pnp.cjs