From ac7696f9a14e8c584a54532cd6be328df9eba014 Mon Sep 17 00:00:00 2001
From: Igor Menkov <imenkov@microsoft.com>
Date: Fri, 12 Jun 2026 14:16:09 +0200
Subject: [PATCH] Fix lodash CVE-2026-4800 by bumping to 4.17.23 (patched)

Upgrades the direct lodash dependency from ^4.17.21 to ~4.17.23 to
remediate CVE-2026-4800. Pinned with ~ to stay on the 4.17.x patched
line and avoid the 4.18 series (4.18.0 is published as DEPRECATED with
the maintainer note "Bad release. Please use lodash@4.17.21 instead.")

- package.json:      lodash ^4.17.21 -> ~4.17.23
- package-lock.json: regenerated via `npm install`; sole lodash node
                     4.17.21 -> 4.17.23

All 3 transitive consumers (archiver-utils, mocha-multi-reporters,
async via winston/prompt) continue to dedupe to the single hoisted
lodash. No overrides required. Source-code audit covers 22 lodash
functions in use; all are stable across 4.17.x and no `_.template`
usage exists. No source changes.

S360-Run-Id: 495d2f2c-025e-4d09-ad47-bf5a23bad72f
S360-KPI: SFI-ES5.2
S360-Skill: dependabot:dependency-update-orchestrator
S360-Arm: dedicated_skill
S360-Action-Items: 928b7015-db58-41a3-94ea-ab73c7bb9f4d:17027a63-3844-47e7-858a-baccf93ba52e
---
 package-lock.json | 14 +++++++-------
 package.json      |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 8acc9617..f46dab48 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -18,7 +18,7 @@
         "jju": "^1.4.0",
         "json-in-place": "^1.0.1",
         "jszip": "^3.10.1",
-        "lodash": "^4.17.21",
+        "lodash": "~4.17.23",
         "minimist": "^1.2.6",
         "mkdirp": "^1.0.4",
         "onecolor": "^2.5.0",
@@ -2624,9 +2624,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha1-Z5WRxWTDv/quhFTPCz3zcMPWkRw=",
+      "version": "4.17.23",
+      "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha1-8ROwN4OGEDvk9okziMc9C95/LFo=",
       "license": "MIT"
     },
     "node_modules/log-symbols": {
@@ -6176,9 +6176,9 @@
       }
     },
     "lodash": {
-      "version": "4.17.21",
-      "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha1-Z5WRxWTDv/quhFTPCz3zcMPWkRw="
+      "version": "4.17.23",
+      "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha1-8ROwN4OGEDvk9okziMc9C95/LFo="
     },
     "log-symbols": {
       "version": "4.1.0",
diff --git a/package.json b/package.json
index b2d5f412..ce8db282 100644
--- a/package.json
+++ b/package.json
@@ -50,7 +50,7 @@
     "jju": "^1.4.0",
     "json-in-place": "^1.0.1",
     "jszip": "^3.10.1",
-    "lodash": "^4.17.21",
+    "lodash": "~4.17.23",
     "minimist": "^1.2.6",
     "mkdirp": "^1.0.4",
     "onecolor": "^2.5.0",