Skip to content

chore(deps): bump lodash to fix Dependabot alerts#627

Merged
aterga merged 1 commit intomainfrom
fix/dependabot-lodash-alert
Apr 2, 2026
Merged

chore(deps): bump lodash to fix Dependabot alerts#627
aterga merged 1 commit intomainfrom
fix/dependabot-lodash-alert

Conversation

@aterga
Copy link
Copy Markdown
Contributor

@aterga aterga commented Apr 2, 2026
edited
Loading

Summary

Notes

  • Alert docs: add orbit glossary #201 (rustls-webpki 0.102.8) remains open — constrained by ic-agent@0.38.2, requires a major ic-agent version upgrade to resolve

Test plan

  • pnpm install completes successfully
  • Lockfile contains lodash@4.18.1 (no more 4.17.21)
  • CI pipeline passes

🤖 Generated with Claude Code

@aterga @claude
chore(deps): bump lodash to fix Dependabot alerts #217 and #218
2e42757 
Add pnpm override for lodash <4.18.0 → ^4.18.1 to resolve:
- Code injection via _.template imports key names (high, #218)
- Prototype pollution via _.unset and _.omit (medium, #217)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@aterga aterga requested a review from a team as a code owner April 2, 2026 11:13
@aterga aterga requested a review from sea-snake April 2, 2026 11:49
@aterga aterga merged commit 8f2624b into main Apr 2, 2026
53 checks passed
@aterga aterga deleted the fix/dependabot-lodash-alert branch April 2, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sea-snake sea-snake sea-snake approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aterga @sea-snake