fix: Upgrade mermaid to fix lodash-es vulnerability by anthonyshew · Pull Request #11611 · vercel/turborepo

anthonyshew · 2026-01-31T22:07:01Z

Summary

Adds lodash-es@4.17.23 as direct dependency in docs/site to fix prototype pollution vulnerability (TURBO-5161)
The vulnerable path was docs/site > mermaid > lodash-es which used 4.17.21
By adding the patched version directly, mermaid now resolves to the secure 4.17.23 version

vercel · 2026-01-31T22:07:03Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
examples-basic-web	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
examples-designsystem-docs	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
examples-gatsby-web	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
examples-kitchensink-blog	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
examples-nonmonorepo	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
examples-svelte-web	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
examples-tailwind-web	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
examples-vite-web	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
turbo-site	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm
turborepo-test-coverage	Ready	Preview, Comment, Open in v0	Jan 31, 2026 10:08pm

fix: Upgrade mermaid to fix lodash-es vulnerability

970b4a7

anthonyshew requested a review from a team as a code owner January 31, 2026 22:07

anthonyshew requested review from tknickman and removed request for a team January 31, 2026 22:07

turbo-orchestrator bot added the area: site Issues and improvements related to Turborepo's documentation website label Jan 31, 2026

vercel bot deployed to Preview – turborepo-test-coverage January 31, 2026 22:07 View deployment

anthonyshew merged commit 1ed1cc5 into main Jan 31, 2026
48 checks passed

anthonyshew deleted the anthonyshew/turbo-5161-lodash-es-mermaid branch January 31, 2026 22:19