Skip to content

refactor: Bump lodash from 4.17.23 to 4.18.1#10386

Closed
dependabot[bot] wants to merge 1 commit intoalphafrom
dependabot/npm_and_yarn/lodash-4.18.1
Closed

refactor: Bump lodash from 4.17.23 to 4.18.1#10386
dependabot[bot] wants to merge 1 commit intoalphafrom
dependabot/npm_and_yarn/lodash-4.18.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 2, 2026
edited
Loading

Bumps lodash from 4.17.23 to 4.18.1.

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Bot label; pull requests that updates a dependency file javascript Pull requests that update javascript code labels Apr 2, 2026
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 2, 2026

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title refactor: bump lodash from 4.17.23 to 4.18.1 refactor: Bump lodash from 4.17.23 to 4.18.1 Apr 2, 2026
@dependabot dependabot bot changed the title refactor: Bump lodash from 4.17.23 to 4.18.1 refactor: bump lodash from 4.17.23 to 4.18.1 Apr 3, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/lodash-4.18.1 branch from 3e3e067 to f61437e Compare April 3, 2026 15:10
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title refactor: bump lodash from 4.17.23 to 4.18.1 refactor: Bump lodash from 4.17.23 to 4.18.1 Apr 3, 2026
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

@dependabot dependabot bot changed the title refactor: Bump lodash from 4.17.23 to 4.18.1 refactor: bump lodash from 4.17.23 to 4.18.1 Apr 3, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/lodash-4.18.1 branch from f61437e to 4785f28 Compare April 3, 2026 16:39
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title refactor: bump lodash from 4.17.23 to 4.18.1 refactor: Bump lodash from 4.17.23 to 4.18.1 Apr 3, 2026
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

@dependabot dependabot bot changed the title refactor: Bump lodash from 4.17.23 to 4.18.1 refactor: bump lodash from 4.17.23 to 4.18.1 Apr 3, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/lodash-4.18.1 branch from 4785f28 to 665ec33 Compare April 3, 2026 17:16
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title refactor: bump lodash from 4.17.23 to 4.18.1 refactor: Bump lodash from 4.17.23 to 4.18.1 Apr 3, 2026
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

@dependabot
refactor: bump lodash from 4.17.23 to 4.18.1
569fa70 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot changed the title refactor: Bump lodash from 4.17.23 to 4.18.1 refactor: bump lodash from 4.17.23 to 4.18.1 Apr 3, 2026
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/lodash-4.18.1 branch from 665ec33 to 569fa70 Compare April 3, 2026 17:17
@parse-github-assistant parse-github-assistant bot changed the title refactor: bump lodash from 4.17.23 to 4.18.1 refactor: Bump lodash from 4.17.23 to 4.18.1 Apr 3, 2026
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

1 similar comment
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 3, 2026

I will reformat the title to use the proper commit message syntax.

@mtrezza mtrezza mentioned this pull request Apr 3, 2026
Merged
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 3, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/lodash-4.18.1 branch April 3, 2026 18:01
@parseplatformorg
Copy link
Copy Markdown
Contributor

parseplatformorg commented Apr 3, 2026

🎉 This change has been released in version 9.8.0-alpha.3

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Bot label; pull requests that updates a dependency file javascript Pull requests that update javascript code state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@parseplatformorg