Skip to content

chore(deps): bump lodash-es from 4.17.23 to 4.18.1#44

Open
dependabot[bot] wants to merge 14 commits into
mainfrom
dependabot/npm_and_yarn/lodash-es-4.18.1
Open

chore(deps): bump lodash-es from 4.17.23 to 4.18.1#44
dependabot[bot] wants to merge 14 commits into
mainfrom
dependabot/npm_and_yarn/lodash-es-4.18.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 2, 2026

Copy link
Copy Markdown

Bumps lodash-es from 4.17.23 to 4.18.1.

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

rawand-shakir-draad and others added 14 commits March 5, 2026 16:11
Add plugin-loader package that reads plugins.json, validates
manifests, and exposes hooks for api-server (models, routes,
middleware, migrations) and admin-server (pages, menu items,
widget definitions).

Integration points:
- api-server: db models, middleware (5 positions), routes,
  init/migrate database scripts
- admin-server: dynamic sidenav items, catch-all plugin pages,
  widget definition merging, next.config transpilation
- widget-settings: merges plugin widget definitions into core

Safety: broken/missing plugins are logged and skipped,
never crash the server.
Remove hardcoded test-resources admin pages and let the catch-all
plugin route handle them. Add widget preview and server external
packages support to the catch-all route so plugin widgets get the
same features as core widgets.
The plugin widget route uses [...widgetPath] catch-all, so the widget ID
isn't available in router.query.id. Extract the ID from path segments and
pass it as idOverride to useWidgetConfig, useWidgetPreview, and
WidgetPublish so plugin widgets load and publish correctly.
Replace memoryStorage with databaseStorage backed by Sequelize models
for authorization codes, refresh tokens, and tasks. Access tokens
already used the database. Adds migration for the three new tables.

Also fixes a bug in token.js where non-existent memoryStorage.clients
was called instead of db.Client.
…ffinity

Add USE_KUBERNETES_CRONJOBS env var to disable in-process cron scheduling
and offload to a dedicated K8s CronJob that runs every configurable N
minutes, executing any application crons due within that window.

Add configurable pod anti-affinity (preferred/required) scoped to the
current namespace to spread replicas across nodes.
Move podAntiAffinity config from api-specific to global.podAntiAffinity
with enabled/mode settings. Add reusable helper template and apply to
all 5 deployments (api, admin, auth, cms, image). Each deployment uses
its own app label, scoped to the current namespace.
Replace build-time plugin imports with runtime loading via IIFE bundles.
Plugins are now served by the api-server and loaded via <script> tags,
enabling add/remove without rebuilding Docker images.

- Convert plugin-loader to TypeScript with manifest validation
- Add API endpoints: GET /registry, POST /reload (auth-protected), GET /bundle
- Add PluginComponentLoader React component for runtime bundle loading
- Simplify next.config.js by removing ~190 lines of build-time plugin code
- Extract plugin loading from Server.js into plugin-loader-init.js
- Remove plugin volume mounts from docker-compose.yml (moved to override)
- Remove metkoos as build-time dependency (runtime-only now)
- Add path traversal protection and Content-Type headers on bundle endpoint
- Reset plugins.json to empty default (deployment-specific config)
Add global.autoscaling values with per-service overrides for HPA
configuration including stabilizationWindowSeconds (cooldown) and
scaling policies. When autoscaling is enabled, replicas are omitted
from Deployments so the HPA manages pod count.
- Add PLUGIN_JSON_OVERRIDE env var support to plugin-loader for K8s ConfigMap injection
- Extract _loadEntries() method to avoid duplication between env var and file-based loading
- Add Helm plugins section (values.yaml) with enabled, nodeImage, installPath, npmrcSecret, items
- Add plugins-configmap.yaml template rendering plugin config as ConfigMap
- Add init container to API and Admin deployments that npm installs plugins into shared volume
- Add NODE_PATH + PLUGIN_JSON_OVERRIDE env vars to API/Admin containers and init-db-ready
- Support version pinning per plugin and private registries via npmrc secret
- Add explicit plugin-loader tsc build step in Dockerfile builder stage
- Ship plugin-loader dist/ in git (removed from .gitignore)
- Add 4 new tests for PLUGIN_JSON_OVERRIDE (41 total, all passing)
feat(plugins): runtime IIFE loading with API endpoints
Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants