Skip to content

chore(deps): update dependency lodash-es to v4.17.23 [security] #12833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chenjiahan merged 1 commit into from
Jan 26, 2026
Merged

chore(deps): update dependency lodash-es to v4.17.23 [security] #12833

chenjiahan merged 1 commit into from
Jan 26, 2026
+241 −95

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 25, 2026

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
lodash-es (source) 4.17.224.17.23 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-13465

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Release Notes

lodash/lodash (lodash-es)

v4.17.23

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jan 25, 2026
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 25, 2026

Deploying rspack with  Cloudflare Pages  Cloudflare Pages

Latest commit: 90b94b4
Status: ✅  Deploy successful!
Preview URL: https://15d7511a.rspack-v2.pages.dev
Branch Preview URL: https://renovate-npm-lodash-es-vulne.rspack-v2.pages.dev

View logs

@github-actions
Copy link
Contributor

github-actions bot commented Jan 25, 2026

Rsdoctor Bundle Diff Analysis

Found 5 projects in monorepo, 0 projects with changes.

📊 Quick Summary
Project Total Size Change
react-10k 5.7 MB 0
react-1k 825.5 KB 0
react-5k 2.7 MB 0
ui-components 2.3 MB 0
rome 985.9 KB 0

Generated by Rsdoctor GitHub Action

@github-actions
Copy link
Contributor

github-actions bot commented Jan 25, 2026

📦 Binary Size-limit

Comparing 90b94b4 to chore(ci): read size limit threshold from env variable (#12822) by pshu

🙈 Size remains the same at 48.33MB

@codspeed-hq
Copy link

codspeed-hq bot commented Jan 25, 2026

Merging this PR will not alter performance

✅ 16 untouched benchmarks
⏩ 1 skipped benchmark1

Comparing renovate/npm-lodash-es-vulnerability (90b94b4) with main (dd3e16c)

Open in CodSpeed

Footnotes

  1. 1 benchmark was skipped, so the baseline result was used instead. If it was deleted from the codebase, click here and archive it to remove it from the performance reports.

@chenjiahan chenjiahan merged commit 5efae27 into main Jan 26, 2026
51 of 53 checks passed
@chenjiahan chenjiahan deleted the renovate/npm-lodash-es-vulnerability branch January 26, 2026 02:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenjiahan chenjiahan chenjiahan approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chenjiahan