Skip to content

[S360] Fix CVE-2026-4800: Update lodash to 4.18.x#2545

Merged
lucygramley merged 2 commits intomainfrom
s360/fix-lodash
May 6, 2026
Merged

[S360] Fix CVE-2026-4800: Update lodash to 4.18.x#2545
lucygramley merged 2 commits intomainfrom
s360/fix-lodash

Conversation

@lucygramley
Copy link
Copy Markdown
Contributor

@lucygramley lucygramley commented May 4, 2026

Fix lodash CVE-2026-4800. Updates 4.17.23 to 4.18.1.

lucygramley and others added 2 commits May 4, 2026 08:33
@lucygramley
Fix CVE-2026-4800: Update lodash to 4.18.x
759fe8d 
Updates lodash from 4.17.23 to 4.18.1 across all projects to fix
CVE-2026-4800 (Code Injection via _.template imports key names).

Updated lockfiles:
- Nodejs/Tests/MockProjects/reactappwithjestteststypescript
- Nodejs/Tests/MockProjects/NodeAppWithAngularTests
- Nodejs/Tests/MockProjects/reactappwithjesttestsjavascript
- Root package-lock.json

S360 KPI: [SFI-ES5.2] 1ES Open Source Vulnerabilities

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lucygramley
Use overrides instead of direct dependency for lodash fix
3a2ab20 
Move lodash ^4.18.1 from dependencies to overrides in all package.json
files. This forces the transitive dependency to resolve to the patched
version without adding lodash as a direct dependency.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lucygramley lucygramley merged commit 1b80705 into main May 6, 2026
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sandersn sandersn sandersn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lucygramley @sandersn