Bump lodash from 4.17.15 to 4.17.23

[dependabot]

Bumps lodash from 4.17.15 to 4.17.23.

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[MelvinTo]

PR Review Summary

✅ What looks good

• Targeted dependency upgrade is sensible:
• lodash bumped from ^4.17.15 to ^4.17.23 (includes important security fixes over older 4.17.x).
• package-lock.json reflects the dependency change correctly and keeps the tree consistent.
• Scope is narrow (no application logic changes), so runtime behavior risk from app code is low.

⚠️ Issues found

• Medium — lockfile format migration risk (lockfileVersion: 3).
  The PR upgrades lockfile from v1 to v3, which requires newer npm toolchains. If CI/build agents still use npm 6-era environments, install behavior can break or diverge.
• Low — lockfile churn exceeds functional intent.
  This PR appears to be a lodash/security bump, but lockfile conversion introduces many unrelated metadata changes, making audit/review harder.
• Process gap — issue requirement verification.
  No linked issue found.
  I can’t validate this against explicit issue acceptance criteria from the provided context.

💡 Suggestions

• Confirm and enforce Node/npm baseline (npm 7+) across CI and production build environments before merging lockfile v3.
• If environment parity is uncertain, either:
• pin toolchain in CI first, then merge this PR, or
• regenerate lockfile with the repo’s standard npm version.
• Add a short PR note with:
• reason for lodash bump (security/maintenance),
• verification steps run (npm ci, smoke/unit tests).

Verdict

COMMENT

---

Repo: firewalla/firerouter
PR: #1742
Head SHA: cf9842635954c4c0214b02d50ba33ad9048c22bb
Checked at: 2026-03-19 16:33:35 CST

[j-sallyjin]

PR Review Summary

✅ What looks good

• lodash is bumped from ^4.17.15 to ^4.17.23, which is a meaningful security/maintenance improvement.
• Runtime dependency intent is minimal and clear (single direct dep bump), reducing functional behavior risk in app code.
• Lockfile reflects resolved graph consistently for the updated dependency set.

⚠️ Issues found

• High – lockfile format migration risk (lockfileVersion: 1 → 3).
  This PR effectively couples a small dependency bump with an npm lockfile format migration. If any CI/device/runtime environment still uses older npm, install behavior can break or diverge.
• Medium – excessive lockfile churn relative to change intent.
  The direct change is only lodash, but lockfile rewrite introduces broad structural/transitive diff, making review/audit harder and increasing accidental regression surface.
• Medium – missing compatibility/test evidence.
  No evidence in this diff that install/build/tests were executed across the target environment matrix (especially important for infra/device repos).
• Issue requirement coverage: No linked issue found.

💡 Suggestions

• Keep this PR narrowly scoped:
• either retain lockfile format compatible with current deployment toolchain, or
• split into two PRs: (1) lodash security bump, (2) lockfile/toolchain migration.
• Document and validate npm compatibility (CI + runtime/device) before landing lockfile v3.
• Attach verification artifacts:
• clean npm ci on target environments,
• smoke tests / startup checks after dependency update.

Verdict

REQUEST_CHANGES

---

Repo: firewalla/firerouter
PR: #1742
Head SHA: cf9842635954c4c0214b02d50ba33ad9048c22bb
Checked at: 2026-03-28 00:12:32 CST