build(deps-dev): bump lodash-es from 4.17.21 to 4.18.1 in /web/tests/e2e#12513
build(deps-dev): bump lodash-es from 4.17.21 to 4.18.1 in /web/tests/e2e#12513dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.21 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.18.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
dj4oC
left a comment
There was a problem hiding this comment.
Bumps lodash-es from 4.17.21 to 4.18.1 in web/tests/e2e/package.json (devDependency, E2E test tooling only — not shipped in the product bundle).
Findings
No blocking issues — this is a beneficial bump: 4.18.0/4.18.1 fix a prototype-pollution issue in _.unset/_.omit (GHSA-f23m-r3pf-42rh) and a code-injection issue in _.template (CVE-2026-4800/GHSA-r5fr-rjxr-66jc). Since this dependency is scoped to web/tests/e2e dev tooling, it carries no production runtime exposure either way.
One lockfile-hygiene note: only package.json changed in this diff — pnpm-lock.yaml doesn't appear to have been regenerated alongside it. Worth confirming pnpm install --frozen-lockfile still succeeds for web/tests/e2e, or has the lockfile update squashed in before merge.
Deployment topology check
N/A — test-only dependency, no runtime/deployment impact.
Verdict
Commenting
🤖 Automated review by Claude Code (security · stability · performance · coverage)
Generated by Claude Code
|
CI is red and not transient ( This PR's commit only touches Suggested fix: comment
🤖 Automated review by Claude Code (security · stability · performance · coverage) Generated by Claude Code |
|
CI investigation: the failures here aren't caused by the lodash-es 4.17.21→4.18.1 bump itself — the jobs don't get far enough to exercise it.
Both look like Dependabot config/lockfile hygiene gaps rather than a breaking dependency change. Suggest regenerating 🤖 Automated review by Claude Code (security · stability · performance · coverage) Generated by Claude Code |
|
Holding: CI is failing (not a rebase conflict): build-and-test, web-build-test, web-tests-passed. A rebase won't fix this — needs a human/upstream fix. |
Bumps lodash-es from 4.17.21 to 4.18.1.
Release notes
Sourced from lodash-es's releases.
Commits
cb0b9b9release(patch): bump main to 4.18.1 (#6177)75535f5chore: prune stale advisory refs (#6170)62e91bcdocs: remove n_ Node.js < 6 REPL note from README (#6165)59be2derelease(minor): bump to 4.18.0 (#6161)af63457fix: broken tests for _.template 879aaa91073a76fix: linting issues879aaa9fix: validate imports keys in _.templatefe8d32efix: block prototype pollution in baseUnset via constructor/prototype traversal18ba0a3refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)b819080ci: add dist sync validation workflow (#6137)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.