Skip to content

[Snyk] Fix for 5 vulnerabilities#186

Open
patzeltj wants to merge 1 commit intodevelopfrom
snyk-fix-3377c8d984d75cc96a39ed4f43154306
Open

[Snyk] Fix for 5 vulnerabilities#186
patzeltj wants to merge 1 commit intodevelopfrom
snyk-fix-3377c8d984d75cc96a39ed4f43154306

Conversation

@patzeltj
Copy link
Copy Markdown

@patzeltj patzeltj commented Apr 2, 2026

snyk-top-banner

Snyk has created this PR to fix 5 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • package.json
⚠️ Warning 
Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Arbitrary Code Injection
SNYK-JS-LODASH-15869625		   716  
high severity Arbitrary Code Injection
SNYK-JS-LODASHES-15869627		   716  
medium severity Prototype Pollution
SNYK-JS-LODASH-15869619		   631  
medium severity Prototype Pollution
SNYK-JS-LODASHES-15869621		   631  
medium severity Prototype Pollution
SNYK-JS-LODASH-15053838		   559  

Breaking Change Risk

Merge Risk: Medium

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Arbitrary Code Injection

@patzeltj
Copy link
Copy Markdown
Author

patzeltj commented Apr 2, 2026

Merge Risk: Medium

This upgrade for lodash and lodash-es includes security fixes that introduce minor behavioral changes, warranting a medium risk assessment.

Key Changes:

  • _.unset / _.omit: A security fix for prototype pollution has altered the behavior of these functions. Calls that previously might have modified an object's prototype will now fail silently, returning false instead of true.
  • _.template: A security fix for code injection now causes the function to throw an error if the imports option contains invalid characters.

Impact:

While these changes prevent security vulnerabilities, they could affect applications that inadvertently relied on the previous, unsafe behavior. No mandatory code changes are required unless your application was exploiting these vulnerabilities.

Recommendation:
Verify that any application logic using _.unset, _.omit, or _.template is not dependent on the old, vulnerable behaviors.

Source: GitHub Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@patzeltj @snyk-bot