Skip to content

fix(deps): bump lodash to 4.18.1 in vulnerability-frontend [foreman-3.18]#2569

Open
Odilhao wants to merge 1 commit into
RedHatInsights:foreman-3.18from
Odilhao:fix/foreman-3.18-lodash-4.18.0
Open

fix(deps): bump lodash to 4.18.1 in vulnerability-frontend [foreman-3.18]#2569
Odilhao wants to merge 1 commit into
RedHatInsights:foreman-3.18from
Odilhao:fix/foreman-3.18-lodash-4.18.0

Conversation

@Odilhao
Copy link
Copy Markdown

@Odilhao Odilhao commented Apr 22, 2026
edited by sourcery-ai Bot
Loading

Summary

Bumps lodash (transitive dependency) in vulnerability-frontend to resolve 2 security CVEs.
All changes are confined to dependency lockfiles and the overrides section of package.json; no application logic was modified.

CVEs addressed

CVE ID Package Old version New version Jira
CVE-2026-4800 lodash 4.17.21 4.18.1 SAT-43987
CVE-2025-13465 lodash 4.17.21 4.18.1 SAT-41941

Changes

File Change
package.json Added lodash override to pin transitive dependency to ^4.18.0
package-lock.json Bumped lodash from 4.17.21 to 4.18.1

Testing

  • CI pipeline passes on this branch.
  • No breaking changes to public API or types introduced by the version bump.
  • If lockfile was manually edited (pipenv/poetry/npm unavailable), confirm the lock regeneration CI step succeeds.

References

Summary by Sourcery

Bug Fixes:

  • Resolve lodash security vulnerabilities by pinning the transitive dependency to version 4.18.x via package.json overrides and lockfile update.

@Odilhao Odilhao requested a review from a team as a code owner April 22, 2026 14:29
@sourcery-ai
Copy link
Copy Markdown

sourcery-ai Bot commented Apr 22, 2026
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Dependency-only security update that pins the transitive lodash version for vulnerability-frontend via package.json overrides and corresponding lockfile changes; no application code or behavior is intentionally altered.

File-Level Changes

Change Details Files
Pin lodash transitive dependency to a secure version via npm overrides.
  • Extend the existing npm overrides map to include lodash pinned to version range ^4.18.0, alongside the existing @react-pdf/renderer -> react override.
  • Ensure all consumers that pull lodash as a transitive dependency resolve to a version >= 4.18.0 without touching direct dependencies or runtime code.
 package.json
Align lockfile to resolved lodash 4.18.1 matching the new override constraint.
  • Update the npm lockfile entries so that lodash is resolved to 4.18.1 instead of 4.17.21.
  • Regenerate or adjust dependency metadata in the lockfile to be consistent with the new lodash resolution while leaving other packages unchanged as much as possible.
 package-lock.json
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@Odilhao
Copy link
Copy Markdown
Author

Odilhao commented Apr 22, 2026

Master branch fix: #2568 · Other backport: foreman-3.16 #2570

This was referenced Apr 22, 2026
Open
Open
sourcery-ai[bot]
sourcery-ai Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • Consider tightening the lodash override to the exact patched version used in the lockfile (e.g. "4.18.1" instead of "^4.18.0") so that future minor/patch releases don’t silently change the resolved version for this security-sensitive dependency.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- Consider tightening the lodash override to the exact patched version used in the lockfile (e.g. "4.18.1" instead of "^4.18.0") so that future minor/patch releases don’t silently change the resolved version for this security-sensitive dependency.

## Individual Comments

### Comment 1
<location path="package.json" line_range="43" />
<code_context>
       "react": "^18.2.0"
-    }
+    },
+    "lodash": "^4.18.0"
   },
   "sassIncludes": {
</code_context>
<issue_to_address>
**issue (bug_risk):** The overridden lodash version ^4.18.0 does not appear to be a published version and may break installs.

Lodash’s latest stable release is 4.17.21; 4.18.0 is not published on npm, so this override will cause `npm install` to fail. If you’re enforcing a minimum secure version, update this to `^4.17.21` (or another actually published secure version).
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread package.json
"react": "^18.2.0"
}
},
"lodash": "^4.18.0"
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): The overridden lodash version ^4.18.0 does not appear to be a published version and may break installs.

Lodash’s latest stable release is 4.17.21; 4.18.0 is not published on npm, so this override will cause npm install to fail. If you’re enforcing a minimum secure version, update this to ^4.17.21 (or another actually published secure version).

@Odilhao
Copy link
Copy Markdown
Author

Odilhao commented Apr 22, 2026

Thanks for the review! To clarify: lodash 4.18.1 is published on npm — npm install resolved ^4.18.0 to 4.18.1 and the lockfile confirms it (latest tag is now 4.18.1). The override uses ^4.18.0 intentionally so future patch releases still satisfy the CVE requirement without needing another PR — the lockfile is pinned at 4.18.1 for reproducible installs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Odilhao