Skip to content

[depthfirst-2536] Upgrade lodash to 4.18.0#3326

Closed
depthfirst-app[bot] wants to merge 1 commit into
mainfrom
patcherai/lodash-4.18.0-2536
Closed

[depthfirst-2536] Upgrade lodash to 4.18.0#3326
depthfirst-app[bot] wants to merge 1 commit into
mainfrom
patcherai/lodash-4.18.0-2536

Conversation

@depthfirst-app

@depthfirst-app depthfirst-app Bot commented Apr 21, 2026

Copy link
Copy Markdown

Overview

Upgrade lodash to 4.18.1 in packages/xrpl

Upgrade

  • Upgraded the lodash dependency from ^4.17.4 to ^4.18.0 in packages/xrpl/package.json.
  • Updated package-lock.json to resolve and install version 4.18.1. This version satisfies the new constraint, resolving high-severity security vulnerabilities while remaining compatible with previous 4.x versions.

Changes

  • Updated the semantic version constraint for lodash in packages/xrpl/package.json.
  • Regenerated package-lock.json to properly lock the new 4.18.1 version and its integrity hash globally.
  • No other code modifications were necessary since the upgrade was verified safely without breaking existing tests.

Warnings

  • The 4.18.x release introduces stricter validations to patch previous exploits:
    • constructor and prototype are now unconditionally blocked as non-terminal path keys in _.unset and _.omit.
    • Untrusted string inputs or forbidden identifiers in _.template imports will now throw an "Invalid imports option passed into _.template" error.
  • Reviewers should double-check that the application does not rely on these specific legacy behaviors or mutating built-in prototypes.

Next Steps

  • Verify the build and tests in the CI pipeline.
  • Review and merge the pull request to deploy the security patches.

Vulnerabilities Fixed

  • lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit

    • Summary: lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit
    • ID: CVE-2026-2950
    • Details: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guarded against string key members, allowing an attacker to bypass the check by passing array-wrapped path segments. This allows the deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
    • References:

  • lodash vulnerable to Code Injection via _.template imports key names

    • Summary: lodash vulnerable to Code Injection via _.template imports key names
    • ID: CVE-2026-4800
    • Details: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template used assignInWith to merge imports, which enumerated inherited properties via for..in. If Object.prototype had been polluted, the polluted keys were copied into the imports object and passed to Function().
    • References:

@kuan121

kuan121 commented Apr 23, 2026

Copy link
Copy Markdown
Collaborator

Close as lodash has been upgraded in #3271

@kuan121 kuan121 closed this Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kuan121