chore(deps): bump lodash from 4.17.21 to 4.17.23#14506
Merged
Conversation
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
javascript
Contributor
mrgrain
approved these changes
Feb 27, 2026
iliapolo
added a commit
that referenced
this pull request
Apr 23, 2026
…existing CLI (#14802) * chore(deps): bump node-forge from 1.3.1 to 1.3.3 (#14382) Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.1 to 1.3.3. - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.3.3) --- updated-dependencies: - dependency-name: node-forge dependency-version: 1.3.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump validator from 13.7.0 to 13.15.23 (#14378) Bumps [validator](https://github.com/validatorjs/validator.js) from 13.7.0 to 13.15.23. - [Release notes](https://github.com/validatorjs/validator.js/releases) - [Changelog](https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md) - [Commits](validatorjs/validator.js@13.7.0...13.15.23) --- updated-dependencies: - dependency-name: validator dependency-version: 13.15.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump js-yaml from 4.1.0 to 4.1.1 (#14359) Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump js-yaml from 4.1.0 to 4.1.1 in /scripts (#14343) Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump glob from 11.0.2 to 11.1.0 (#14352) * chore(deps): bump glob from 11.0.2 to 11.1.0 Bumps [glob](https://github.com/isaacs/node-glob) from 11.0.2 to 11.1.0. - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v11.0.2...v11.1.0) --- updated-dependencies: - dependency-name: glob dependency-version: 11.1.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * chore: manual intervention --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: aws-amplify-bot <aws@amazon.com> * chore: upgrade dependencies * chore: fix gen2-migration release workflow (#14448) chore: mid work * ci: add explicit permissions to GitHub Actions workflows (#14449) * chore: scope down permissions for closed-issue-message.yml * chore: scope down permissions for build-test-mac.yml * chore: scope down permissions for release-gen2-migration.yml --------- Co-authored-by: Sai Ray <saisujit@amazon.com> * chore: update `node-gyp`, `node-pty`, and windows container (#14468) chore: update node-gyp, node-pty, and windows container Co-authored-by: aws-amplify-bot <aws@amazon.com> * fix mac smoke tests (#14509) * chore: mac is special * chore: new macs * chore: ensure mac has permissions * chore: revert shell changes * chore: update iOS --------- Co-authored-by: aws-amplify-bot <aws@amazon.com> * chore(release): Publish latest - @aws-amplify/cli-internal@14.2.4 - @aws-amplify/cli@14.2.4 - @aws-amplify/amplify-console-integration-tests@2.11.29 - @aws-amplify/amplify-container-hosting@2.8.24 - @aws-amplify/amplify-e2e-core@5.7.10 - amplify-e2e-tests@4.11.14 - @aws-amplify/amplify-migration-tests@6.5.11 - @aws-amplify/amplify-util-mock@5.10.26 - @aws-amplify/amplify-util-uibuilder@1.14.25 * fix: unsanitized input in pem file content handler (#14508) Replaced the use of `execSync` with `spawnSync` and parameterized input strings to prevent shell command injection. Removed the use of `$TSAny` in the file. Added unit tests. * fix: errant certificate mark handling (#14514) * chore(release): Publish latest - @aws-amplify/amplify-category-notifications@2.26.42 - @aws-amplify/cli-internal@14.2.5 - @aws-amplify/cli@14.2.5 - amplify-e2e-tests@4.11.15 * chore(deps): bump tar from 6.2.1 to 7.5.4 (#14502) Bumps [tar](https://github.com/isaacs/node-tar) from 6.2.1 to 7.5.4. - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v6.2.1...v7.5.4) --- updated-dependencies: - dependency-name: tar dependency-version: 7.5.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: provide a link to the Gen2 migration tool in Gen2 banner (#14533) * Update migration guidance for Gen 1 customers Encourage Gen 1 customers to test migration tool for Gen 2. * Revise migration instructions for Gen 1 customers Updated wording for migration guidance from Gen 1 to Gen 2. * chore(deps): bump basic-ftp from 5.0.3 to 5.2.0 Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.0.3 to 5.2.0. - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.0.3...v5.2.0) --- updated-dependencies: - dependency-name: basic-ftp dependency-version: 5.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump lodash from 4.17.21 to 4.17.23 (#14506) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump lodash-es from 4.17.21 to 4.17.23 (#14505) Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: resolve critical and high dependabot alerts (fast-xml-parser, tar, rollup) Adds yarn resolutions to upgrade transitive dependencies: - fast-xml-parser ~4.5.4 (CVE entity encoding bypass, DoS) - tar >=7.5.10 (path traversal, symlink poisoning) - rollup 2.80.0 (path traversal file write) * fix: bump aws-cdk-lib to 2.241.0 and constructs to 10.5.0 Fixes #14631 Upgrades aws-cdk-lib from ~2.189.1 to ~2.241.0 across the monorepo to resolve the minimatch ReDoS vulnerability (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74). Also bumps constructs from ^10.0.5 to ^10.5.0 to satisfy the peer dependency requirement of the newer aws-cdk-lib. Fixes CfnManagedPolicy roles validation in consolidate-apigw-policies.ts by using CfnParameter.valueAsString instead of an unsafe type cast, which is required by the stricter validation in aws-cdk-lib 2.241.0. * chore: run yarn dedupe to fix CI verify_yarn_lock check * chore: run yarn dedupe to fix CI verify_yarn_lock check * fix: downgrade tar resolution to ^6.2.1 to fix lerna compatibility tar v7 removed tar.create() API which breaks lerna's packDirectory. CVE-2024-28863 is fixed in tar 6.2.1, so ^6.2.1 is safe. * chore(deps): bump minimatch from 3.0.4 to 3.1.5 in /scripts Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.4 to 3.1.5. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.0.4...v3.1.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump minimatch from 3.1.2 to 3.1.4 Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.4. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.4) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * fix: resolve high dependabot alerts (immutable, svgo, serialize-javascript) Fixes transitive dependency vulnerabilities: - immutable >=4.3.8 (prototype pollution) - svgo >=3.3.3 (DoS via entity expansion) - serialize-javascript >=7.0.3 (RCE via RegExp/Date) Changes: - Added resolutions for immutable, svgo, serialize-javascript in root package.json - Upgraded @svgr/webpack from ^5.5.0 to ^8.1.0 in amplify-graphiql-explorer * chore: run yarn dedupe to fix CI verify_yarn_lock check * fix: use ^ instead of >= in dependency resolutions for safety * feat: add retry on throttling exceptions for ssm * fix: update few code fixes * chore: e2e and dependabot management scripting + agent docs (#14625) * feat: add agentic workflow infrastructure - Add AGENTS.md with workflow guide for AI agents - Add .agent-docs/DEPENDABOT.md for dependency management workflow - Add .agent-docs/LOCAL_E2E_TESTING.md for local testing guide - Add scripts/e2e-test-manager.ts for e2e test management - Add scripts/check-dependabot.ts for checking security alerts - Add e2e management commands to package.json (e2e-status, e2e-retry, e2e-monitor, etc.) - Add AWS SDK dependencies to scripts/package.json This infrastructure enables AI coding tools to: - Monitor e2e test status with auto-retry - Check and manage Dependabot alerts - Follow consistent workflows for development and testing * docs: add README for .agent-docs directory * fix: remove interactive mwinit from cloud-cli-utils.sh - Remove automatic mwinit call that prompts for credentials - Let ada command fail naturally if credentials not available - Provide clear error message instructing user to run mwinit - Matches pattern from amplify-category-api repo * fix: use correct role name CodeBuildE2E in e2e-test-manager - Change from CodebuildDeveloper (category-api) to CodeBuildE2E (cli-gen1) - Matches role name used in cloud-cli-utils.sh * fix: format .agent-docs/README.md with prettier - Add blank lines between sections per prettier rules - Fixes lint failure in e2e tests * feat: add CODEBUILD_IMAGE_OVERRIDE support - Allow specifying custom container image via CODEBUILD_IMAGE_OVERRIDE env var - Matches pattern from amplify-category-api repo - Enables testing with updated container images Usage: CODEBUILD_IMAGE_OVERRIDE=<image-uri> yarn cloud-e2e * feat: bump version (#14665) * chore: fixes smoke tests (#14670) * chore: remove outdated node version from smoke test * fix: node 22 compatibility for process.exit and nexpect error logging * fix: detect windows test * fix: change node version to node 20 * fix: remove process.env * fix: crypto flag for node 18 * chore: mid work * chore: mid work * chore: mid work * fix(e2e): improve smoke test stability (#14672) * fix: change MaxResults from 50 to 10 (#14676) * Revert/amplify cdk bump (#14681) * Revert "chore: run yarn dedupe to fix CI verify_yarn_lock check" This reverts commit 95635e1. * Revert "fix: bump aws-cdk-lib to 2.241.0 and constructs to 10.5.0" This reverts commit b7ea5cf. * chore: update container Dockerfiles to Node 22 LTS and nginx stable (#14687) * chore(release): Publish latest - @aws-amplify/amplify-app@5.0.46 - @aws-amplify/amplify-appsync-simulator@2.16.18 - @aws-amplify/amplify-category-function@5.8.0 - @aws-amplify/cli-internal@14.3.0 - @aws-amplify/cli@14.3.0 - @aws-amplify/amplify-console-integration-tests@2.11.30 - @aws-amplify/amplify-container-hosting@2.8.25 - amplify-dynamodb-simulator@2.9.28 - @aws-amplify/amplify-e2e-core@5.7.11 - amplify-e2e-tests@4.11.16 - @aws-amplify/amplify-graphiql-explorer@2.6.5 - @aws-amplify/amplify-migration-tests@6.5.12 - @aws-amplify/amplify-opensearch-simulator@1.7.24 - @aws-amplify/amplify-util-mock@5.10.27 * chore(deps): bump flatted from 3.2.4 to 3.4.2 (#14694) Bumps [flatted](https://github.com/WebReflection/flatted) from 3.2.4 to 3.4.2. - [Commits](WebReflection/flatted@v3.2.4...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump brace-expansion from 1.1.12 to 1.1.13 in /scripts (#14734) Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.12 to 1.1.13. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.13) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * amplify-cli gen2 migration out of alpha * readme * prettier * review changes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: aws-amplify-bot <aws@amazon.com> Co-authored-by: Otavio Macedo <288203+otaviomacedo@users.noreply.github.com> Co-authored-by: Eli Polonsky <Eli.polonsky@gmail.com> Co-authored-by: Sai Ray <saisujit.sb@gmail.com> Co-authored-by: Sai Ray <saisujit@amazon.com> Co-authored-by: Leena <81589006+ShadowCat567@users.noreply.github.com> Co-authored-by: Jon Wire <iambipedal@gmail.com> Co-authored-by: Galib Sarayev <sarayev@amazon.com> Co-authored-by: sarayev <126112721+sarayev@users.noreply.github.com> Co-authored-by: sanjanaravikumar-az <sanjana.ravikumar.az@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps lodash from 4.17.21 to 4.17.23.
Commits
dec55b7Bump main to v4.17.23 (#6088)19c9251fix: setCacheHas JSDoc return type should be boolean (#6071)b5e6729jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)edadd45Prevent prototype pollution on baseUnset function4879a7adoc: fix autoLink function, conversion of source links (#6056)9648f69chore: removeyarn.lockfile (#6053)dfa407dci: remove legacy configuration files (#6052)156e196feat: add renovate setup (#6039)933e106ci: add pipeline for Bun (#6023)072a807docs: update links related to Open JS Foundation (#5968)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.