[depthfirst-2495] Upgrade lodash to 4.18.0

[depthfirst-app]

Overview

• Repair Link

Upgrade lodash to address Prototype Pollution and Code Injection vulnerabilities

Upgrade

• Upgraded the lodash dependency in package.json from ^4.17.21 to ^4.18.0.
• Updated package-lock.json to reflect the new dependency tree. The npm install process successfully resolved lodash to version 4.18.1, which contains the target security fixes as well as a subsequent patch for a ReferenceError bug present in 4.18.0.

Warnings

The 4.18.0 release introduces strict behavior modifications to fix security vulnerabilities. Please review the following changes:

• _.unset and _.omit modifications: The constructor and prototype keys are now unconditionally blocked as non-terminal path keys to prevent prototype pollution. Calls that previously returned true and deleted properties from built-in prototypes will now safely return false and leave the prototype unmodified.
• _.template modifications: To fix code injection vulnerabilities, imports keys are now validated. Passing imports keys containing forbidden identifier characters will now throw an "Invalid imports option passed into _.template" error.
• Double-check your application code to ensure it doesn't depend on passing untrusted variables as imports keys to templates or dynamically deleting prototype properties.

Next Steps

• Review the dependency upgrade and verify that CI checks pass successfully.
• Conduct a sanity check on any components utilizing _.template, _.unset, or _.omit to verify they remain unaffected by the stricter input validations.

Vulnerabilities Fixed

• ID: CVE-2026-2950

  • Summary: lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit
  • Details: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
  • References:
    • GitHub Advisory (GHSA-f23m-r3pf-42rh)
    • GitHub Advisory (GHSA-xxjr-mmjv-4gpg)
    • NVD CVE-2026-2950
    • lodash Package

• ID: CVE-2026-4800

  • Summary: lodash vulnerable to Code Injection via _.template imports key names
  • Details: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
  • References:
    • GitHub Advisory (GHSA-r5fr-rjxr-66jc)
    • NVD CVE-2026-4800
    • Commit 3469357c
    • OpenJSF Security Advisories
    • GitHub Advisory (GHSA-35jh-r3h4-6jhm)
    • lodash Package

[kuan121]

Close as the upgrade will be done as part of #3271