Skip to content

[S360] Fix CVE-2026-4800: Update lodash to 4.18.x#2546

Open
lucygramley wants to merge 2 commits into
mainfrom
s360/fix-lodash
Open

[S360] Fix CVE-2026-4800: Update lodash to 4.18.x#2546
lucygramley wants to merge 2 commits into
mainfrom
s360/fix-lodash

Conversation

@lucygramley
Copy link
Copy Markdown
Contributor

@lucygramley lucygramley commented May 15, 2026

S360 Security Fix

CVE: CVE-2026-4800 (lodash)
Severity: High

What changed

  • Added lodash override to ensure >= 4.18.x across all test projects

Why

lodash versions prior to 4.18.x contain known prototype pollution vulnerabilities.

Testing

  • Project builds successfully

References

lucygramley and others added 2 commits May 4, 2026 08:33
@lucygramley
Fix CVE-2026-4800: Update lodash to 4.18.x
759fe8d 
Updates lodash from 4.17.23 to 4.18.1 across all projects to fix
CVE-2026-4800 (Code Injection via _.template imports key names).

Updated lockfiles:
- Nodejs/Tests/MockProjects/reactappwithjestteststypescript
- Nodejs/Tests/MockProjects/NodeAppWithAngularTests
- Nodejs/Tests/MockProjects/reactappwithjesttestsjavascript
- Root package-lock.json

S360 KPI: [SFI-ES5.2] 1ES Open Source Vulnerabilities

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lucygramley
Use overrides instead of direct dependency for lodash fix
3a2ab20 
Move lodash ^4.18.1 from dependencies to overrides in all package.json
files. This forces the transitive dependency to resolve to the patched
version without adding lodash as a direct dependency.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lucygramley