Skip to content

chore(deps): update dependency lodash to v4.17.23 [security] #11640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore(deps): update dependency lodash to v4.17.23 [security] #11640

renovate wants to merge 1 commit into from
+3 −3

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 22, 2026

This PR contains the following updates:

Package Change Age Confidence
lodash (source) 4.17.214.17.23 age confidence

Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions

CVE-2025-13465 / GHSA-xxjr-mmjv-4gpg

More information

Details

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

lodash/lodash (lodash)

v4.17.23

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the Security label Jan 22, 2026
@github-actions
Copy link

github-actions bot commented Jan 22, 2026

Oops! Looks like you forgot to update the changelog. When updating CHANGELOG.md, please consider the following:

  • Changelog is read by country implementors who might not always be familiar with all technical details of OpenCRVS. Keep language high-level, user friendly and avoid technical references to internals.
  • Answer "What's new?", "Why was the change made?" and "Why should I care?" for each change.
  • If it's a breaking change, include a migration guide answering "What do I need to do to upgrade?".

@github-actions
Copy link

github-actions bot commented Jan 22, 2026

ℹ️ Coverage metrics explained:
Statements — Executed code statements (basic logic lines)
Branches — Tested decision paths (if/else, switch, ternaries)
Functions — Functions invoked during tests
Lines — Source lines executed

@github-actions
Copy link

github-actions bot commented Jan 22, 2026

📊 commons test coverage

Statements: 67.37%
Branches:   33.29%
Functions:  50.6%
Lines:      66.79%
Updated at: Thu, 22 Jan 2026 10:11:59 GMT

@github-actions
Copy link

github-actions bot commented Jan 22, 2026

📊 events test coverage

Statements: 85.31%
Branches:   84.14%
Functions:  90.47%
Lines:      85.31%
Updated at: Thu, 22 Jan 2026 10:16:28 GMT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants