Skip to content

fix(deps): address CVE-2026-4800 in lodash#1593

Open
taymoor89 wants to merge 1 commit intomainfrom
fix/vulnerability-lodash-cve-2026-4800
Open

fix(deps): address CVE-2026-4800 in lodash#1593
taymoor89 wants to merge 1 commit intomainfrom
fix/vulnerability-lodash-cve-2026-4800

Conversation

@taymoor89
Copy link
Copy Markdown
Contributor

@taymoor89 taymoor89 commented Apr 10, 2026
edited
Loading

Summary

Fixes CVE-2026-4800 and CVE-2026-2950: lodash vulnerable to Code Injection via `_.template` (Dependabot alerts #202, #203, #204, #205).

Changes Made

  • Pinned lodash to 4.18.0 in apps/greenhouse/package.json (direct dependency)
  • Added 2 scoped pnpm overrides in root package.json for the transitive parents that haven't updated yet:
    • @graphql-codegen/plugin-helpers>lodash >=4.18.0 (via @graphql-codegen/cli in heureka)
    • @microsoft/api-extractor>lodash >=4.18.0 (via vite-plugin-dts across 8 packages)

Related Issues

Testing Instructions

  1. `pnpm install`
  2. `pnpm run build`
  3. `pnpm run test`
  4. Verify in ArgoCD preview

Checklist

  • I have performed a self-review of my code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • I have made corresponding changes to the documentation (if applicable).
  • My changes generate no new warnings or errors.
  • I have created a changeset for my changes.

PR Manifesto

Review the PR Manifesto for best practises.

@taymoor89 taymoor89 requested a review from a team as a code owner April 10, 2026 13:42
@taymoor89 taymoor89 added the greenhouse-pr-preview Builds a PR preview for greenhouse shell app and plugins. label Apr 10, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 10, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 44f5600

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudoperators/juno-app-greenhouse Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@taymoor89 taymoor89 self-assigned this Apr 10, 2026
@taymoor89 taymoor89 force-pushed the fix/vulnerability-lodash-cve-2026-4800 branch from ec0d487 to 37b4a9b Compare April 10, 2026 14:17
@taymoor89 taymoor89 mentioned this pull request Apr 10, 2026
Open
1 task
@taymoor89
fix(deps): address CVE-2026-4800 and CVE-2026-2950 in lodash
44f5600 
- Pinned lodash to 4.18.0 in apps/greenhouse (direct dep)
- Updated @microsoft/api-extractor 7.57.7 -> 7.58.2 (ships lodash ~4.18.1 natively)
- Updated @graphql-codegen/plugin-helpers 6.2.0 -> 6.2.1 (ships lodash ~4.18.1 natively)
- Fixes Dependabot alerts #202, #203, #204, #205
@taymoor89 taymoor89 force-pushed the fix/vulnerability-lodash-cve-2026-4800 branch from 37b4a9b to 44f5600 Compare April 10, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@taymoor89 taymoor89

Labels

greenhouse-pr-preview Builds a PR preview for greenhouse shell app and plugins.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@taymoor89