Skip to content

chore(deps-dev): bump lodash-es from 4.17.21 to 4.18.1#28

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/lodash-es-4.18.1
Open

chore(deps-dev): bump lodash-es from 4.17.21 to 4.18.1#28
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/lodash-es-4.18.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 2, 2026
edited
Loading

Bumps lodash-es from 4.17.21 to 4.18.1.

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 2, 2026
@entelligence-ai-pr-reviews
Copy link
Copy Markdown

entelligence-ai-pr-reviews bot commented Apr 2, 2026
edited
Loading

EntelligenceAI PR Summary

Bumps the lodash-es dependency to 4.18.1 in package-lock.json to reflect a minor version upgrade.

  • Updated lodash-es version from 4.17.214.18.1
  • Refreshed package integrity hash to match new version
  • Added explicit license: MIT field to the lock file entry

Confidence Score: 5/5 - Safe to Merge

Safe to merge — this is a straightforward dependency bump of lodash-es from 4.17.21 to 4.18.1 with corresponding package-lock.json updates and explicit MIT license metadata. The PR makes no changes to application code, logic, or configuration; it purely updates dependency versions and their associated integrity hashes, which is a routine maintenance operation. No review comments were generated and no substantive issues were identified.

Key Findings:

  • Dependency version bump is isolated to package.json and package-lock.json with no application code changes
  • Integrity hash and resolved URL in package-lock.json are updated consistently with the new version
  • Explicit MIT license declaration is added to package metadata, improving transparency without introducing risk
  • Zero review comments generated and zero pre-existing unresolved issues indicate no substantive concerns

@entelligence-ai-pr-reviews
Copy link
Copy Markdown

entelligence-ai-pr-reviews bot commented Apr 2, 2026

Walkthrough

This update bumps the lodash-es peer dependency from version 4.17.21 to 4.18.1 in package-lock.json. The change reflects a minor version increment, includes an updated package integrity hash, and adds an explicit license: MIT field to the lock file entry.

Changes

File(s) Summary
package-lock.json Updated lodash-es peer dependency version from 4.17.21 to 4.18.1, refreshed integrity hash, and added explicit license: MIT field.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title lodash-es Dependency Update (package-lock.json)

    participant Dev as Developer
    participant NPM as NPM Registry
    participant App as Application

    Note over Dev,App: PR updates lodash-es 4.17.21 → 4.18.1

    Dev->>NPM: npm install (resolves lodash-es@4.18.1)
    NPM-->>Dev: lodash-es@4.18.1 (MIT license, peer dep)

    Note over Dev: package-lock.json updated with
new version + integrity hash + license field

    Dev->>App: Build / bundle application
    App-->>Dev: Bundled with updated lodash-es@4.18.1

    Note over NPM,App: No API or behavioral changes —
version bump and license field addition only
Loading

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

  • Automatically identifies repositories that depend on this code
  • Analyzes potential breaking changes across your entire codebase
  • Provides risk assessment before merging to prevent cross-repo issues

How to Enable

  1. Visit Settings → Code Management
  2. Configure repository dependencies
  3. Future PRs will automatically include cross-repo impact analysis!

Benefits

  • 🛡️ Prevent breaking changes across repositories
  • 🔍 Catch integration issues before they reach production
  • 📊 Better visibility into your multi-repo architecture

@dependabot
chore(deps-dev): bump lodash-es from 4.17.21 to 4.18.1
03a36f4 
Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.21 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

---
updated-dependencies:
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/lodash-es-4.18.1 branch from a9c2221 to 03a36f4 Compare April 8, 2026 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants