chore(deps): update lodash to 4.18.1#3043
Merged
chrarnoldus merged 1 commit intomainfrom May 5, 2026
Merged
Conversation
Contributor
Author
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (2 files)
Reviewed by gpt-5.5-20260423 · 187,800 tokens |
johnnyeric
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
lodashpnpm override from>=4.17.23to>=4.18.1, pulling in the latest upstream release across the monorepo.lodashis not a direct dependency of any workspace package; it is only present transitively (archiver, discord.js shapeshift, html-webpack-plugin, stream-chat-expo, etc.). The override exists to force security patches into those transitives. The lockfile now resolves a singlelodash@4.18.1for everyone.Why the 4.18.x changes don't impact us
lodash 4.18.0 is security-only and contains two behavioral changes (release notes):
_.unset/_.omitprototype pollution hardening (GHSA-f23m-r3pf-42rh). Array-wrapped path segments and primitive roots targetingconstructor/prototypenow fail instead of deleting. A repo-wide search shows no first-party code importslodash, so none of our code calls_.unsetor_.omit. The transitive consumers (archiver/zip-stream, discord.js builders, webpack's html-plugin, stream-chat's react-native markdown) use lodash for array/object helpers, not prototype path manipulation, so the tightened guard does not affect them._.templateimports-key validation (fix for CVE-2026-4800).importskeys containing forbidden identifier characters now throw. We do not use_.templatedirectly. The only transitive user is webpack'shtml-webpack-plugin, which calls_.templatewith its own fixed import map of valid identifiers — the new validation does not reject anything it was previously accepting.4.18.1 is a pure build-fix release (restoring
template/fromPairsin the modular builds) with no behavior change from 4.18.0.Net effect: transitive consumers get the latest security patches; no workspace code paths change.
Verification
pnpm install --lockfile-onlyresolveslodash@4.18.1as the single version inpnpm-lock.yaml.from 'lodash'/require('lodash')returns zero first-party hits, confirming no call sites are affected.Visual Changes
N/A
Reviewer Notes
package.json(pnpm override) andpnpm-lock.yamlchange.pnpm formatwas not run locally becauseoxfmtis not installed in this environment; the touched files (JSON/lockfile) are not subject to oxfmt output changes. Fullpnpm typecheckwas skipped per the repo guidance on slow full-monorepo checks — the dependency change is transitive-only and has no TS surface.