Skip to content

chore(deps): update dependency lodash to v4.17.23 [security] #5777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: next
Choose a base branch
from
Open

chore(deps): update dependency lodash to v4.17.23 [security] #5777

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 23, 2026

This PR contains the following updates:

Package Change Age Confidence
lodash (source) 4.17.214.17.23 age confidence

GitHub Vulnerability Alerts

CVE-2025-13465

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Release Notes

lodash/lodash (lodash)

v4.17.23

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Jan 23, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
Scope: all 73 workspace projects
.                                        |  WARN  There are cyclic workspace dependencies: /tmp/renovate/repos/github/eggjs/egg/packages/cluster, /tmp/renovate/repos/github/eggjs/egg/plugins/mock, /tmp/renovate/repos/github/eggjs/egg/packages/egg; /tmp/renovate/repos/github/eggjs/egg/tegg/core/runtime, /tmp/renovate/repos/github/eggjs/egg/tegg/core/test-util
 ERROR  Invalid Version: ^4.17.21

pnpm: Invalid Version: ^4.17.21
    at new _SemVer (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:38223:17)
    at compare (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:38616:65)
    at Object.eq (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:38700:31)
    at installSome (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:159270:223)
    at _install (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:159212:21)
    at async mutateModules (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:159072:23)
    at async recursive (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:160468:100)
    at async recursiveInstallThenUpdateWorkspaceState (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:160979:31)
    at async installDeps (/opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:160786:11)
    at async /opt/containerbase/tools/pnpm/10.28.0/24.13.0/node_modules/pnpm/dist/pnpm.cjs:194253:23

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 23, 2026
edited
Loading

Deploying egg-v3 with  Cloudflare Pages  Cloudflare Pages

Latest commit: 7206674
Status: ✅  Deploy successful!
Preview URL: https://258cd57b.egg-v3.pages.dev
Branch Preview URL: https://renovate-npm-lodash-vulnerab.egg-v3.pages.dev

View logs

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 23, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@socket-security
Copy link

socket-security bot commented Jan 23, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm safer-buffer is 94.0% likely obfuscated

Confidence: 0.94

Location: Package overview

From: ?npm/safer-buffer@2.1.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 23, 2026
edited
Loading

Deploying egg with  Cloudflare Pages  Cloudflare Pages

Latest commit: 7206674
Status: ✅  Deploy successful!
Preview URL: https://adf0278a.egg-cci.pages.dev
Branch Preview URL: https://renovate-npm-lodash-vulnerab.egg-cci.pages.dev

View logs

@codecov
Copy link

codecov bot commented Jan 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.55%. Comparing base (8c09d7b) to head (7206674).

Additional details and impacted files 
@@            Coverage Diff             @@
##             next    #5777      +/-   ##
==========================================
- Coverage   87.57%   87.55%   -0.02%     
==========================================
  Files         563      563              
  Lines       10940    10940              
  Branches     1242     1242              
==========================================
- Hits         9581     9579       -2     
- Misses       1275     1277       +2     
  Partials       84       84

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant