From 88d871e46379802467f6db3da3e4d6f3f36d977b Mon Sep 17 00:00:00 2001 From: Tom Moor Date: Mon, 27 Apr 2026 10:13:15 -0400 Subject: [PATCH] chore: Clear lodash _.template injection advisory from audit ignore list (#12180) Pin lodash and lodash-es to ^4.18.1 via resolutions so transitive deps pick up the patched versions, then drop the advisory ID. Co-authored-by: Claude Opus 4.7 --- .yarnrc.yml | 1 - package.json | 10 +++++++++- yarn.lock | 17 +++++------------ 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.yarnrc.yml b/.yarnrc.yml index e1e70e6265..07c071cee6 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -12,4 +12,3 @@ npmPreapprovedPackages: npmAuditIgnoreAdvisories: - "1113517" # GHSA-mw96-cpmx-2vgc rollup <2.80.0 path traversal (workbox-build, build-time) - "1113686" # GHSA-5c6j-r48x-rmvq serialize-javascript RCE (@rollup/plugin-terser, build-time) - - "1115805" # GHSA-r5fr-rjxr-66jc lodash-es _.template injection (mermaid; not exposed to user-controlled template keys) diff --git a/package.json b/package.json index 603445c593..ac07967f9e 100644 --- a/package.json +++ b/package.json @@ -408,7 +408,15 @@ "picomatch@npm:^2.2.3": "^2.3.2", "picomatch@npm:^2.3.1": "^2.3.2", "picomatch@npm:^4.0.2": "^4.0.4", - "picomatch@npm:^4.0.3": "^4.0.4" + "picomatch@npm:^4.0.3": "^4.0.4", + "lodash@npm:4.17.21": "^4.18.1", + "lodash@npm:^4.17.11": "^4.18.1", + "lodash@npm:^4.17.20": "^4.18.1", + "lodash@npm:^4.17.21": "^4.18.1", + "lodash@npm:^4.17.23": "^4.18.1", + "lodash-es@npm:4.17.23": "^4.18.1", + "lodash-es@npm:^4.17.21": "^4.18.1", + "lodash-es@npm:^4.17.23": "^4.18.1" }, "version": "1.7.0", "packageManager": "yarn@4.11.0" diff --git a/yarn.lock b/yarn.lock index be8d43dd48..0148401b12 100644 --- a/yarn.lock +++ b/yarn.lock @@ -15300,10 +15300,10 @@ __metadata: languageName: node linkType: hard -"lodash-es@npm:4.17.23, lodash-es@npm:^4.17.21, lodash-es@npm:^4.17.23": - version: 4.17.23 - resolution: "lodash-es@npm:4.17.23" - checksum: 10c0/3150fb6660c14c7a6b5f23bd11597d884b140c0e862a17fdb415aaa5ef7741523182904a6b7929f04e5f60a11edb5a79499eb448734381c99ffb3c4734beeddd +"lodash-es@npm:^4.18.1": + version: 4.18.1 + resolution: "lodash-es@npm:4.18.1" + checksum: 10c0/35d4dcf87ef07f8d090f409447575800108057e360b445f590d0d25d09e3d1e33a163d2fc100d4d072b0f901d5e2fc533cd7c4bfd8eeb38a06abec693823c8b8 languageName: node linkType: hard @@ -15440,14 +15440,7 @@ __metadata: languageName: node linkType: hard -"lodash@npm:4.17.21": - version: 4.17.21 - resolution: "lodash@npm:4.17.21" - checksum: 10c0/d8cbea072bb08655bb4c989da418994b073a608dffa608b09ac04b43a791b12aeae7cd7ad919aa4c925f33b48490b5cfe6c1f71d827956071dae2e7bb3a6b74c - languageName: node - linkType: hard - -"lodash@npm:^4.17.11, lodash@npm:^4.17.20, lodash@npm:^4.17.21, lodash@npm:^4.17.23": +"lodash@npm:^4.18.1": version: 4.18.1 resolution: "lodash@npm:4.18.1" checksum: 10c0/757228fc68805c59789e82185135cf85f05d0b2d3d54631d680ca79ec21944ec8314d4533639a14b8bcfbd97a517e78960933041a5af17ecb693ec6eecb99a27