Bump lodash from 4.17.19 to 4.17.23

[dependabot]

Bumps lodash from 4.17.19 to 4.17.23.

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dg-appsec-cxone]

Checkmarx One – Scan Summary & Details – 8f7ae33f-2640-417d-be3c-c323d6054e9b

New Issues (8)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2025-15284	Npm-qs-6.5.2	details Recommended version: 6.14.1 Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2025-66418	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2025-66471	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-21441	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-23745	Npm-tar-4.4.13	details Recommended version: 7.5.3 Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
6		CVE-2026-23950	Npm-tar-4.4.13	details Recommended version: 7.5.3 Description: node-tar,a Tar for Node.js, has a race condition vulnerability in versions through 7.5.3. This is due to an incomplete handling of Unicode path col... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2025-14505	Npm-elliptic-6.5.4	details Description: The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
8		CVE-2025-64718	Npm-js-yaml-3.14.0	details Recommended version: 3.14.2 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

Fixed Issues (3)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2020-8203	Npm-lodash-4.17.19
	CVE-2021-23337	Npm-lodash-4.17.19
	CVE-2020-28500	Npm-lodash-4.17.19

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR