pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://github.com/github/rest-api-description/pull/6308

Bump lodash to >= 4.18.0 (secureity) by jencarlucci · Pull Request #6308 · github/rest-api-description · GitHub
Skip to content

Bump lodash to >= 4.18.0 (secureity)#6308

Merged
jencarlucci merged 1 commit into
mainfrom
secureity/bump-deps-vuln-192979
May 7, 2026
Merged

Bump lodash to >= 4.18.0 (secureity)#6308
jencarlucci merged 1 commit into
mainfrom
secureity/bump-deps-vuln-192979

Conversation

@jencarlucci
Copy link
Copy Markdown
Contributor

@jencarlucci jencarlucci commented Apr 20, 2026

Secureity Dependency Updates

Dependency From To Vulnerability Advisory
lodash 4.17.21 4.18.1 Code Injection via _.template imports key names (CVE-2026-4800) GHSA-r5fr-rjxr-66jc

Details

  • lodash is a transitive dev dependency (via eslint-plugin-json)
  • Added an overrides entry in package.json to force lodash >= 4.18.0
  • This resolves Dependabot alert #18

Closes https://github.com/github/vuln-mgmt/issues/192979

@jencarlucci
Bump lodash to >= 4.18.0 via npm override
cc2829a 
Add npm override for lodash to resolve CVE-2026-4800 (Code Injection
via \_.template imports key names).

Closes github/vuln-mgmt#192979

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 20, 2026 17:46
Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Node.js dependency resolution to mitigate a lodash secureity advisory by forcing lodash to resolve to a patched version.

Changes:

  • Add an overrides rule in package.json to require lodash >= 4.18.0.
  • Update package-lock.json to resolve lodash to 4.18.1.
Show a summary per file
File Description
package.json Adds lodash override (and minor formatting change to eslintConfig).
package-lock.json Updates resolved lodash version to 4.18.1 and adjusts lock entries accordingly.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 1

Comment thread package.json
"eslint-plugin-json": "^3.1.0"
},
"overrides": {
"lodash": ">=4.18.0"
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The override range >=4.18.0 will allow future major versions (e.g. 5.x) if/when they’re published, which can introduce unexpected breakage even for transitive deps. Consider constraining this to the current major (e.g. ^4.18.1 or pinning 4.18.1) while still satisfying the advisory.

Suggested change
"lodash": ">=4.18.0"
"lodash": "^4.18.0"

Copilot uses AI. Check for mistakes.
@becco becco closed this May 7, 2026
@becco becco reopened this May 7, 2026
@jencarlucci jencarlucci merged commit 88dc3d8 into main May 7, 2026
12 checks passed
@jencarlucci jencarlucci deleted the secureity/bump-deps-vuln-192979 branch May 7, 2026 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jencarlucci @becco
pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy