[api-extractor] Consider using caret (^) instead of tilde (~) for lodash dependency #5742
Description
Summary
The lodash dependency is pinned using a tilde range (~4.17.23), which only permits patch updates within the 4.17.x line. Lodash 4.18.0 was recently released to address CVE-2026-4800, a code injection vulnerability in the _.template function. Because of the tilde constraint, consumers of api-extractor cannot receive this security fix without an explicit update to the package.json in this repository.
More broadly, several other dependencies in api-extractor also use tilde ranges (e.g., @microsoft/tsdoc, resolve, semver, source-map). Switching these to caret ranges would allow consumers to benefit from minor version updates - including security patches - without requiring a new api-extractor release.
Repro steps
Expected result: Consumers can receive lodash security patches (e.g., 4.18.0) when regenerating their lockfiles.
Actual result: The ~4.17.23 constraint prevents resolution to 4.18.0, leaving consumers exposed to CVE-2026-4800 until api-extractor explicitly updates its dependency.
Details
Suggested change:
- "lodash": "~4.17.23"
- "lodash": "^4.17.23"
Broader suggestion: Consider updating all tilde-pinned dependencies to use caret ranges, allowing minor version updates that could include security patches.
Using a caret range would allow minor version updates (4.17.x → 4.18.x), enabling consumers to automatically receive security patches that are published in minor releases.
References:
Standard questions
| Question | Answer |
|---|---|
@microsoft/api-extractor version? |
7.57.8 |
| Operating system? | Mac |
| API Extractor scenario? | rollups (.d.ts) |
| Would you consider contributing a PR? | Yes |
| TypeScript compiler version? | 5.5.4 |
Node.js version (node -v)? |
24.14.0 |