Skip to content

chore(deps): update dependency lodash to v4.17.23 [security]#1673

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-lodash-vulnerability
Open

chore(deps): update dependency lodash to v4.17.23 [security]#1673
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-lodash-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jan 22, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
lodash (source) 4.17.214.17.23 age confidence

Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions

CVE-2025-13465 / GHSA-xxjr-mmjv-4gpg

More information

Details

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

lodash/lodash (lodash)

v4.17.23

Compare Source


Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

Copy link
Copy Markdown

Hi @renovate[bot]! 👋
Thank you for submitting a pull request! We appreciate your contribution and will review your changes as soon as possible.

@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 29dc0c8 to b6965b1 Compare January 23, 2026 18:43
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from b6965b1 to b552a02 Compare February 2, 2026 20:53
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from bf32ff9 to a32e214 Compare February 17, 2026 19:06
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from a32e214 to 9ed5db8 Compare March 5, 2026 15:57
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 9ed5db8 to 62ab890 Compare March 13, 2026 16:17
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-lodash-vulnerability branch March 27, 2026 01:39
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed chore(deps): update dependency lodash to v4.17.23 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 62ab890 to 7b6d78d Compare March 30, 2026 17:30
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed Apr 1, 2026
@renovate renovate Bot closed this Apr 1, 2026
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed chore(deps): update dependency lodash to v4.17.23 [security] Apr 1, 2026
@renovate renovate Bot reopened this Apr 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 7b6d78d to 147c33a Compare April 1, 2026 13:03
@codacy-production

codacy-production Bot commented Apr 1, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🟢 Coverage ∅ diff coverage · +0.00% coverage variation

Metric Results
Coverage variation +0.00% coverage variation
Diff coverage diff coverage

View coverage diff in Codacy

Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (287ed0c) Report Missing Report Missing Report Missing
Head commit (dd90aff) 3920 (+0) 3920 (+0) 100.00% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#1673) 0 0 ∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

1 Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 147c33a to f1e8c38 Compare April 8, 2026 14:46
@renovate renovate Bot enabled auto-merge (squash) April 8, 2026 14:46
@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 18:32

Pull request was closed

@renovate renovate Bot changed the title chore(deps): update dependency lodash to v4.17.23 [security] - autoclosed chore(deps): update dependency lodash to v4.17.23 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from f1e8c38 to 01bebfb Compare April 27, 2026 23:14
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 01bebfb to 15b3901 Compare April 29, 2026 12:15
@renovate renovate Bot enabled auto-merge (squash) April 29, 2026 12:15
@sonarqubecloud

Copy link
Copy Markdown

@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 15b3901 to ba59f07 Compare May 12, 2026 15:41
@sonarqubecloud

Copy link
Copy Markdown

@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from ba59f07 to b0b6c6d Compare May 18, 2026 14:54
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 6ab4bdf to 29fd41c Compare June 1, 2026 15:57
@renovate renovate Bot force-pushed the renovate/npm-lodash-vulnerability branch from 29fd41c to dd90aff Compare June 11, 2026 19:34
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants