Skip to content

fix: Upgrade recharts to fix lodash vulnerability#11606

Merged
anthonyshew merged 4 commits intomainfrom
anthonyshew/turbo-5162-lodash-recharts
Jan 31, 2026
Merged

fix: Upgrade recharts to fix lodash vulnerability#11606
anthonyshew merged 4 commits intomainfrom
anthonyshew/turbo-5162-lodash-recharts

Conversation

@anthonyshew
Copy link
Contributor

@anthonyshew anthonyshew commented Jan 31, 2026

Summary

  • Upgrades recharts from v2.15.x to v3.7.0 in docs/site and packages/coverage-reporter
  • Fixes TURBO-5162: lodash Prototype Pollution vulnerability (CVE in lodash >=4.0.0 <=4.17.22)

Why this works

Recharts v3.x completely removed the lodash dependency, replacing it with es-toolkit. This eliminates the vulnerable transitive dependency entirely rather than just upgrading it.

Testing

  • pnpm install succeeds
  • pnpm --filter docs build succeeds
  • pnpm why lodash confirms no lodash dependency from recharts

@anthonyshew anthonyshew requested a review from a team as a code owner January 31, 2026 22:03
@anthonyshew anthonyshew requested review from tknickman and removed request for a team January 31, 2026 22:03
@turbo-orchestrator turbo-orchestrator bot added the area: site Issues and improvements related to Turborepo's documentation website label Jan 31, 2026
@vercel
Copy link
Contributor

vercel bot commented Jan 31, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examples-basic-web Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
examples-designsystem-docs Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
examples-gatsby-web Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
examples-kitchensink-blog Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
examples-nonmonorepo Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
examples-svelte-web Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
examples-tailwind-web Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
examples-vite-web Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
turbo-site Ready Ready Preview, Comment, Open in v0 Jan 31, 2026 10:27pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
turborepo-test-coverage Skipped Skipped Open in v0 Jan 31, 2026 10:27pm

@vercel vercel bot temporarily deployed to Preview – turborepo-test-coverage January 31, 2026 22:22 Inactive
@vercel vercel bot temporarily deployed to Preview – turborepo-test-coverage January 31, 2026 22:26 Inactive
@anthonyshew anthonyshew merged commit 50b5337 into main Jan 31, 2026
48 checks passed
@anthonyshew anthonyshew deleted the anthonyshew/turbo-5162-lodash-recharts branch January 31, 2026 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknickman tknickman Awaiting requested review from tknickman tknickman is a code owner automatically assigned from vercel/turbo-oss

Assignees

No one assigned

Labels

area: site Issues and improvements related to Turborepo's documentation website

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anthonyshew