build(deps): bump lodash from 4.17.21 to 4.17.23 in /webapp

[dependabot]

Bumps lodash from 4.17.21 to 4.17.23.

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade lodash to 4.17.23 in the webapp to include an upstream fix preventing prototype pollution in baseUnset. No app code changes; backward compatible update.

^{Written for commit 46b8d4b. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
traduora-docs-co	Error		Jan 21, 2026 11:55pm

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jpegtran-bin@​4.0.0
	docusaurus@​1.14.7
	bootstrap@​4.6.0 ⏵ 5.1.1	-2			+36

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Prototype Pollution in npm immer CVE: GHSA-33f9-j839-rf8h Prototype Pollution in immer (CRITICAL) Affected versions: >= 7.0.0 < 9.0.6 Patched version: 9.0.6 From: ? → npm/docusaurus@1.14.7 → npm/immer@8.0.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/immer@8.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Improper Neutralization of Special Elements used in a Command in Shell-quote CVE: GHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quote (CRITICAL) Affected versions: >= 1.6.3 < 1.7.3 Patched version: 1.7.3 From: ? → npm/docusaurus@1.14.7 → npm/shell-quote@1.7.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/shell-quote@1.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm safer-buffer is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: ? → npm/docusaurus@1.14.7 → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the webapp lodash dependency from 4.17.21 to 4.17.23 to pick up upstream fixes.

Changes: Adjusted the version constraint in webapp/package.json.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

webapp/yarn.lock currently pins lodash to 4.17.21, so this package.json bump to ^4.17.23 won’t actually change what gets installed when the lockfile is used. Consider updating/regenerating the lockfile so installs reliably pick up 4.17.23.

_{🤖 Was this useful? React with 👍 or 👎}

[greptile-apps]

Greptile Summary

Updated lodash dependency from 4.17.21 to 4.17.23 in the webapp package. This update includes a security fix for prototype pollution in the baseUnset function along with documentation improvements and JSDoc fixes.

Key Issue:

• yarn.lock file was not updated alongside package.json, violating project dependency management requirements. This creates a risk of inconsistent dependency resolution across different environments and CI/CD pipelines.

What's in this update:

• Security fix: Prevents prototype pollution on baseUnset function
• Documentation improvements for JSDoc
• No breaking changes between 4.17.21 and 4.17.23

Confidence Score: 2/5

• This PR is not safe to merge without updating yarn.lock
• While the lodash version update itself is safe and includes important security fixes, the missing yarn.lock update creates a critical issue that violates project requirements and could lead to inconsistent dependency installations across environments
• webapp/package.json requires corresponding yarn.lock update before merge

Important Files Changed

Filename	Overview
webapp/package.json	Updated lodash from 4.17.21 to 4.17.23, but missing critical yarn.lock update

Sequence Diagram

sequenceDiagram
    participant D as Dependabot
    participant P as package.json
    participant L as yarn.lock
    participant N as Node Modules
    
    D->>P: Update lodash: 4.17.21 → 4.17.23
    Note over L: ❌ Lock file not updated
    Note over N: Inconsistent dependency resolution risk
    Note over P,N: yarn.lock must be updated<br/>to match package.json changes

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: yarn.lock file not updated alongside package.json. Per project requirements, dependency updates must update lock files to ensure consistent installs across environments.

Context Used: Rule from dashboard - When updating dependencies via automated PRs (like Dependabot), ensure the package.json file is expl... (source)

Prompt To Fix With AI

This is a comment left during a code review.
Path: webapp/package.json
Line: 51:51

Comment:
**logic:** `yarn.lock` file not updated alongside `package.json`. Per project requirements, dependency updates must update lock files to ensure consistent installs across environments.

**Context Used:** Rule from `dashboard` - When updating dependencies via automated PRs (like Dependabot), ensure the package.json file is expl... ([source](https://app.greptile.com/review/custom-context?memory=d1ffbb9b-c4e0-4fc6-bae7-688b0ae84515))

How can I resolve this? If you propose a fix, please make it concise.

[dependabot]

Superseded by #528.