Skip to content

chore(deps): Add lodash-es override to address vulnerability CVE-2025-13465 #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tkislan merged 2 commits into from
Jan 24, 2026
Merged

chore(deps): Add lodash-es override to address vulnerability CVE-2025-13465 #305

tkislan merged 2 commits into from
Jan 24, 2026

Conversation

@tkislan
Copy link
Contributor

@tkislan tkislan commented Jan 23, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Pinned dependency lodash‑es to version 4.17.23 in the project manifest.
    • Minor formatting update to the manifest’s overrides section to accommodate the new entry.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 23, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Added an override in package.json: "lodash-es": "^4.17.23". The preceding override entry for "tar@<7.5.4": "7.5.4" was given a trailing comma to keep JSON valid. This is a dependency-resolution configuration change.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title directly describes the main change: adding a lodash-es override to fix a specific CVE vulnerability.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)
  • CVE-2025: Entity not found: Issue - Could not find referenced Issue.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 23, 2026
View reviewed changes
@codecov
Copy link

codecov bot commented Jan 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (01eeadd) to head (64c0b32).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@     Coverage Diff     @@
##   main   #305   +/-   ##
===========================
===========================
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai bot requested changes Jan 23, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@package.json`:
- Around line 2879-2880: Update the lodash-es dependency to ensure
CVE-2025-13465 is addressed by pinning or tightening the range: change
"lodash-es": "^4.17.23" in package.json to at least 4.17.23 (or to the exact
"4.17.23" if your policy requires deterministic pinning) so the patched version
that fixes prototype pollution in _.unset and _.omit is used.

@tkislan tkislan marked this pull request as ready for review January 23, 2026 20:13
@tkislan tkislan requested a review from a team as a code owner January 23, 2026 20:13
@tkislan tkislan merged commit e2105bc into main Jan 24, 2026
13 checks passed
@tkislan tkislan deleted the tk/upgrade-lodash-es-vulnerability branch January 24, 2026 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Artmann Artmann Artmann approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tkislan @Artmann