Skip to content

Bump lodash from 4.17.21 to 4.17.23 #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump lodash from 4.17.21 to 4.17.23 #35

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 22, 2026

Bumps lodash from 4.17.21 to 4.17.23.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump lodash from 4.17.21 to 4.17.23
84b6723 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 22, 2026
@fossabot
Copy link

fossabot bot commented Jan 22, 2026
edited
Loading

fossabot is Thinking

@fossabot
Copy link

fossabot bot commented Jan 22, 2026
edited
Loading

Needs Review

I recommend reviewing this upgrade before merging because the package-lock.json specifies a non-existent lodash version (4.17.23) which causes installation failures. The latest available version is 4.17.21. While the security vulnerabilities mentioned represent fixes rather than new issues, and lodash is only used as a transitive dev dependency by jsdoc documentation tooling (not in production code), the version constraint must be corrected to enable successful dependency installation. The fix is straightforward - update package-lock.json to reference the correct version 4.17.21.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 2 fixable issues in this upgrade.

  • In package-lock.json, search for all occurrences of lodash version '4.17.23' and replace with '4.17.21'. Specifically: find '"version": "4.17.23"' under the lodash entry and change to '"version": "4.17.21"', also update the 'resolved' URL from 'lodash/-/lodash-4.17.23.tgz' to 'lodash/-/lodash-4.17.21.tgz', and update the 'integrity' hash to match 4.17.21's hash (sha512-v2kDE0KQM...)
    Files: package-lock.json
  • Alternative fix: Delete package-lock.json and regenerate by running 'npm install' OR 'rm package-lock.json && npm install'. This will resolve lodash to the correct version 4.17.21 automatically based on the ^4.17.21 constraint in @​jsdoc/salty.
    Run: rm package-lock.json && npm install
    Files: package-lock.json

AI Assistant Prompt

Copy prompt for AI assistant 
# Fix Invalid Lodash Version in package-lock.json

## Context
The package-lock.json references lodash version 4.17.23, which doesn't exist on npm. The latest available version is 4.17.21. This causes `npm install` to fail.

Lodash is a transitive dev dependency (brought in by jsdoc tooling) - it's not used directly in the application code.

## Required Fix

In `package-lock.json`, find the lodash entry and make these changes:

1. **Version**: Change `"version": "4.17.23"` to `"version": "4.17.21"`

2. **Resolved URL**: Change the resolved URL from:
   `lodash/-/lodash-4.17.23.tgz` 
   to:
   `lodash/-/lodash-4.17.21.tgz`

3. **Integrity hash**: Update the integrity hash to the correct one for 4.17.21:
   `sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==`

## Alternative Approach

If manual editing seems error-prone, you can regenerate the lockfile:

```bash
rm package-lock.json && npm install
```

This will automatically resolve lodash to the correct version 4.17.21.

## Verification

After fixing, run `npm install` to confirm it completes without errors.

What we checked

  • package-lock.json references non-existent lodash version 4.17.23 [1]
  • npm registry confirms lodash 4.17.21 is the latest version; 4.17.23 does not exist [2]
  • lodash is not listed as a direct dependency - it's only a transitive devDependency through jsdoc [3]
  • @​jsdoc/salty requires lodash ^4.17.21 - should resolve to 4.17.21, not 4.17.23 [4]
  • Security fixes in 4.17.21 address prototype pollution and command injection (CVE-2021-23337) - these are fixes, not new vulnerabilities [5]

Dependency Usage

Lodash is not actively used in the application code and exists only as a transitive dependency brought in by other packages. No files in the codebase import or reference lodash directly, indicating it provides no direct business functionality to this Tiltify API client application. This represents a typical scenario where a utility library is installed as part of the dependency tree but remains dormant in the actual codebase.

Changes

Lodash upgraded with a critical security fix for prototype pollution in _.unset() that now blocks __proto__ keys and constructor.prototype chains. The update also adds security documentation (threat model, escalation policy), incident response planning, and automated security scanning through CodeQL and scorecard reporting.

  • Add security threat model (v4.17.21-4.17.23, commit)
  • Add security escalation policy (v4.17.21-4.17.23, commit)
  • Add security.md (v4.17.21-4.17.23, commit)
View 19 more changes
  • Fix setCacheHas JSDoc return type to boolean (v4.17.21-4.17.23, commit)
  • Fix autoLink function and source links documentation (v4.17.21-4.17.23, commit)
  • Fix linting issues (v4.17.21-4.17.23, commit)
  • Add Renovate setup (v4.17.21-4.17.23, commit)
  • Add IRP (Incident Response Plan) (v4.17.21-4.17.23, commit)
  • Add scorecard reporting (v4.17.21-4.17.23, commit)
  • Add CodeQL analysis (v4.17.21-4.17.23, commit)
  • Add CI pipeline for Node (v4.17.21-4.17.23, commit)
  • Add contributors section to README (v4.17.21-4.17.23, commit)
  • Bump main to v4.17.23 (v4.17.21-4.17.23, commit)
  • Update _.compact JSDoc to document -0 and BigInt zeros as falsey values (v4.17.21-4.17.23, commit)
  • Prevent prototype pollution on baseUnset function (v4.17.21-4.17.23, commit)
  • Remove yarn.lock file (v4.17.21-4.17.23, commit)
  • Remove legacy CI configuration files (v4.17.21-4.17.23, commit)
  • Update documentation links for Open JS Foundation (v4.17.21-4.17.23, commit)
  • Fixed prototype pollution vulnerability in _.unset() function (GHSA-xxjr-mmjv-4gpg). The function now blocks 'proto' keys when not own properties and prevents 'constructor.prototype' chains to protect against malicious property paths. (v4.17.23, package source)
  • Added missing semicolon in iteratee function return statement for improved code consistency (v4.17.23, package source)
  • Removed Nix development environment configuration files (flake.lock and flake.nix) (v4.17.23, package source)
  • Removed internal release documentation (release.md) (v4.17.23, package source)
References (5)

[1]: package-lock.json references non-existent lodash version 4.17.23

tiltify-api-client/package-lock.json

Line 5147 in 84b6723

"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",

[2]: npm registry confirms lodash 4.17.21 is the latest version; 4.17.23 does not exist (source link)

[3]: lodash is not listed as a direct dependency - it's only a transitive devDependency through jsdoc

tiltify-api-client/package.json

Line 22 in 84b6723

"dependencies": {

[4]: @​jsdoc/salty requires lodash ^4.17.21 - should resolve to 4.17.21, not 4.17.23

tiltify-api-client/package-lock.json

Line 1068 in 84b6723

"lodash": "^4.17.21"

[5]: Security fixes in 4.17.21 address prototype pollution and command injection (CVE-2021-23337) - these are fixes, not new vulnerabilities (source link)

fossabot analyzed this PR using dependency research. View this analysis on the web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants