Skip to content

CVE-2026-4800 lodash: Arbitrary code execution via untrusted input in template imports#224

Open
keithchong wants to merge 2 commits into
redhat-developer:mainfrom
keithchong:main-UpdateLodashVersion
Open

CVE-2026-4800 lodash: Arbitrary code execution via untrusted input in template imports#224
keithchong wants to merge 2 commits into
redhat-developer:mainfrom
keithchong:main-UpdateLodashVersion

Conversation

@keithchong

Copy link
Copy Markdown
Collaborator

@aali309 , updating version for now. I will be bumping up the dynamic plugin SDK, and removing the dependency on the old dagre package (which pulls in lodash) and will use @dagrejs/dagre instead.

@openshift-ci openshift-ci Bot requested a review from wtam2018 April 28, 2026 17:44
@keithchong keithchong requested review from aali309 and removed request for wtam2018 April 28, 2026 17:44
aali309
aali309 previously approved these changes May 5, 2026

@aali309 aali309 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

chore(deps): update dependency lodash-es to v4.18.1
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 9615b8f4-c89d-4d18-afd4-d3fd8df5c859

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Updated package.json devDependencies: bumped lodash-es from ^4.17.23 to ^4.18.1 and added a new lodash dependency at ^4.18.1.

Changes

Dependency Update

Layer / File(s) Summary
Update lodash dependencies
package.json
lodash-es version bumped to ^4.18.1 and a new lodash ^4.18.1 devDependency was added.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the lodash CVE version bump driving this PR.
Description check ✅ Passed The description is related to the dependency update and planned follow-up cleanup.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 11.84%. Comparing base (01e9db1) to head (2756c67).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #224      +/-   ##
==========================================
- Coverage   11.92%   11.84%   -0.09%     
==========================================
  Files         154      154              
  Lines        6272     6326      +54     
  Branches     2028     2162     +134     
==========================================
+ Hits          748      749       +1     
+ Misses       5524     5355     -169     
- Partials        0      222     +222     
Flag Coverage Δ
unit-tests 11.84% <ø> (-0.09%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants