chore(deps): bump lodash from 4.17.21 to 4.17.23#5658
Conversation
dependabot
bot
added
dependencies
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/lodash-4.17.23
branch
from
47ad21a to
5b19b4b
Compare
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: lodash 4.17.21 → 4.17.23
Semver risk: Patch
Dependency type: Production
CI status: Passing (linting, frontend tests, frontend build all green)
Changelog Analysis
Sources consulted:
- GitHub Advisory GHSA-xxjr-mmjv-4gpg
- CVE-2025-13465 (Snyk)
- Commit edadd45 — Prevent prototype pollution on baseUnset
- Release tag 4.17.23
Breaking changes: None found.
Security fixes:
- CVE-2025-13465 (CVSS 6.9): Prototype pollution vulnerability in
_.unsetand_.omitfunctions via the internalbaseUnsetfunction. Before the patch, crafted paths like['__proto__', 'polluted']could delete properties fromObject.prototype, potentially leading to denial of service or unexpected application behavior. The fix validates path segments and blocks__proto__andconstructor.prototypetraversal.
Other notable changes:
- JSDoc fix for
setCacheHasreturn type - Documentation updates (compact falsey values, Open JS Foundation links)
- CI/build improvements (Bun pipeline, Renovate setup)
Compatibility Assessment
- Project uses affected APIs: Yes —
lodash/omitis imported and used in 3 source files (client.js,changes.js,indexedDBPlugin/index.js). All usages pass static string arrays as paths (e.g.,omit(obj, ['field'])), so no breakage is expected from the tightened validation, but the project directly benefits from the security fix. - Peer dependency requirements satisfied: Yes — no new peer dependencies
- Code changes required: No — patch-level, no API changes
- Lockfile changes: As expected —
lodash4.17.21 → 4.17.23 with transitive dependency references updated consistently - Prior attempts: No prior PRs for this upgrade found
Recommendation
APPROVE — This is a patch-level security update fixing CVE-2025-13465 (prototype pollution). CI passes, no breaking changes, and the project actively uses the affected _.omit function. Merging promptly is recommended.
|
@dependabot rebase |
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/lodash-4.17.23
branch
from
5b19b4b to
6fb74cf
Compare
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: lodash 4.17.21 → 4.17.23
Semver risk: Patch
Dependency type: Production
CI status: Passing
Changelog Analysis
Sources consulted:
Security fixes:
- GHSA-xxjr-mmjv-4gpg: Prototype pollution via
baseUnsetfunction — the fix blocks__proto__access andconstructor.prototypechains in_.unset()/_.omit()paths. This is the primary motivation for this update.
Breaking changes: None.
Other changes: JSDoc corrections (setCacheHas return type, _.compact falsey values list), upstream CI/build tooling updates. No API or behavior changes.
Compatibility Assessment
- Project uses affected APIs: Possible (lodash is used broadly), but the fix only tightens validation on prototype-polluting paths — legitimate usage is unaffected.
- Peer dependency changes: None.
- Code changes required: None.
- Lockfile: Clean — all changes are mechanical
4.17.21→4.17.23substitutions with no unexpected additions.
Recommendation
APPROVE — Low-risk patch with a meaningful security fix. CI passing.
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: lodash 4.17.21 → 4.17.23
Semver risk: Patch
Dependency type: Production
CI status: Passing (linting, frontend build, frontend tests)
Changelog Analysis
Sources consulted:
Security fixes:
- CVE-2025-13465 — Prototype pollution in
_.unsetand_.omitvia the internalbaseUnsetfunction. Lodash 4.0.0–4.17.22 allowed crafted paths to traverse__proto__orconstructor.prototype, enabling deletion of properties from global prototypes (DoS or unexpected behavior). Fixed by adding path validation to block__proto__andconstructor.prototypetraversal.
Breaking changes: None.
Other changes: JSDoc fixes only (setCacheHas return type, _.compact falsey values list). No API changes.
Compatibility Assessment
- Project uses affected APIs (
_.omit/_.unset): possibly, but the fix only adds guards against malicious paths — normal usage is unaffected. - Peer dependency changes: none.
- Code changes required: none.
- Lockfile: only
lodashand its transitive dependents updated (vue-loader, @vue/component-compiler-utils, @vue/test-utils, @testing-library/vue, babel-template, babel-traverse, babel-types). No unexpected additions.
Recommendation
APPROVE — Low-risk patch bump that fixes a security vulnerability (CVE-2025-13465). CI passing. No breaking changes or code migration needed.
rtibbles
left a comment
rtibbles
left a comment
There was a problem hiding this comment.
This is good, although @rtibblesbot is still being too spammy in response to PR comments.
2 participants
Bumps lodash from 4.17.21 to 4.17.23.
Commits
dec55b7Bump main to v4.17.23 (#6088)19c9251fix: setCacheHas JSDoc return type should be boolean (#6071)b5e6729jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)edadd45Prevent prototype pollution on baseUnset function4879a7adoc: fix autoLink function, conversion of source links (#6056)9648f69chore: removeyarn.lockfile (#6053)dfa407dci: remove legacy configuration files (#6052)156e196feat: add renovate setup (#6039)933e106ci: add pipeline for Bun (#6023)072a807docs: update links related to Open JS Foundation (#5968)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.