Skip to content

fix(deps): update dependency lodash.template to v4.18.0 [security]#421

Merged
bicstone merged 3 commits into
masterfrom
renovate/npm-lodash.template-vulnerability
May 6, 2026
Merged

fix(deps): update dependency lodash.template to v4.18.0 [security]#421
bicstone merged 3 commits into
masterfrom
renovate/npm-lodash.template-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 2, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
lodash.template (source) 4.5.04.18.0 age confidence

lodash vulnerable to Code Injection via _.template imports key names

CVE-2026-4800 / GHSA-r5fr-rjxr-66jc

More information

Details

Impact

The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches

Users should upgrade to version 4.18.0.

The fix applies two changes:

  1. Validate importsKeys against the existing reForbiddenIdentifierChars regex (same check already used for the variable option)
  2. Replace assignInWith with assignWith when merging imports, so only own properties are enumerated
Workarounds

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

lodash/lodash (lodash.template)

v4.18.0

Compare Source

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from bicstone April 2, 2026 04:35
@renovate renovate Bot force-pushed the renovate/npm-lodash.template-vulnerability branch 3 times, most recently from 9165f96 to 2a2b7c5 Compare April 12, 2026 20:29
@renovate renovate Bot force-pushed the renovate/npm-lodash.template-vulnerability branch 3 times, most recently from 7541b02 to fa1d515 Compare April 24, 2026 00:50
@renovate renovate Bot force-pushed the renovate/npm-lodash.template-vulnerability branch from fa1d515 to 152ab48 Compare April 26, 2026 21:26
@renovate renovate Bot changed the title fix(deps): update dependency lodash.template to v4.18.0 [security] fix(deps): update dependency lodash.template to v4.18.0 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/npm-lodash.template-vulnerability branch April 27, 2026 17:07
@renovate renovate Bot changed the title fix(deps): update dependency lodash.template to v4.18.0 [security] - autoclosed fix(deps): update dependency lodash.template to v4.18.0 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash.template-vulnerability branch 4 times, most recently from 916c57a to 6f8e754 Compare May 3, 2026 21:54
@renovate renovate Bot force-pushed the renovate/npm-lodash.template-vulnerability branch from 6f8e754 to abac513 Compare May 6, 2026 06:58
bicstone and others added 2 commits May 6, 2026 16:01
@bicstone @claude
fix(deps): bump lodash.template to 4.18.1
583d5ef 
4.18.0 is a bad release (deprecated by maintainers) that throws
`ReferenceError: assignWith is not defined` at template compile time,
breaking the entire build. 4.18.1 ships the missing `assignWith`
definition while keeping the CVE-2026-4800 fix.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bicstone @claude
chore: rebuild dist for lodash.template 4.18.1
fccda6b 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 6, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@bicstone bicstone merged commit 7e92f48 into master May 6, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bicstone bicstone bicstone approved these changes

Assignees

@bicstone bicstone

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bicstone