build(deps): bump lodash from 4.17.21 to 4.18.1 in /webapp

[dependabot]

Bumps lodash from 4.17.21 to 4.18.1.

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade lodash from 4.17.21 to 4.18.1 in the webapp to bring in security patches and a modular build bug fix. No app code changes.

• Dependencies
  • Updated lodash to 4.18.1.
  • Fixes prototype pollution in _.unset/_.omit and code injection in _.template.
  • Includes a fix for a ReferenceError in modular builds (template, fromPairs).

^{Written for commit 51449cd. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ever-traduora-docs	Error		Apr 2, 2026 2:48pm

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	class-validator@​0.13.1
	handlebars@​4.7.7
	typeorm@​0.2.37
	webpack@​5.52.1
	@​types/​moment@​2.13.0
	@​types/​csv-stringify@​3.1.0
	@​types/​handlebars@​4.1.0
	@​types/​iconv-lite@​0.0.1
	supertest@​6.2.2
	tslint@​6.1.3
	querystring@​0.2.0 ⏵ 0.2.1			+1
	axios@​0.21.4
	jest@​27.2.0
	@​types/​supertest@​2.0.11
	semver-regex@​4.0.3
	@​types/​js-yaml@​4.0.3
	@​types/​bcrypt@​5.0.0
	nodemailer@​6.6.3
	@​types/​express@​4.17.13
	@​types/​morgan@​1.9.3
	node-native2ascii@​0.2.0
	php-array-parser@​1.0.1
	properties@​1.2.1
	strings-file@​0.0.5
	xml-js@​1.6.11
	copyfiles@​2.4.1
	@​types/​nodemailer@​6.4.4
	@​types/​jest@​26.0.24
	@​types/​express-serve-static-core@​4.17.24
	moment@​2.29.2
	preview-email@​3.0.5
	xliff@​5.6.2
	generate-password@​1.6.1
	passport-jwt@​4.0.0
See 31 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: SQL Injection and Cross-site Scripting in npm class-validator CVE: GHSA-fj58-h2fr-3pp2 SQL Injection and Cross-site Scripting in class-validator (CRITICAL) Affected versions: < 0.14.0 Patched version: 0.14.0 From: api/package.json → npm/class-validator@0.13.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/class-validator@0.13.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: api/package.json → npm/handlebars@4.7.7 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: SQL injection in typeORM CVE: GHSA-fx4w-v43j-vc45 SQL injection in typeORM (CRITICAL) Affected versions: < 0.3.0 Patched version: 0.3.0 From: api/package.json → npm/typeorm@0.2.37 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typeorm@0.2.37. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Cross-realm object access in Webpack 5 CVE: GHSA-hc6q-2mpp-qw7j Cross-realm object access in Webpack 5 (CRITICAL) Affected versions: >= 5.0.0 < 5.76.0 Patched version: 5.76.0 From: api/package.json → npm/webpack@5.52.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.52.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cubic-dev-ai]

No issues found across 1 file

[greptile-apps]

Greptile Summary

This Dependabot PR bumps lodash from 4.17.21 to 4.18.1 in webapp/package.json, picking up two security fixes: prototype pollution in _.unset/_.omit (GHSA-f23m-r3pf-42rh) and code injection in _.template (GHSA-r5fr-rjxr-66jc / CVE-2026-4800), plus a follow-up bug fix in 4.18.1.

• webapp/yarn.lock was not updated — it still resolves lodash to 4.17.21, so yarn install will continue to install the vulnerable version until the lock file is regenerated (e.g. by running yarn upgrade lodash or letting Dependabot regenerate the PR).

Confidence Score: 4/5

Not safe to merge as-is — the yarn.lock must be updated for the security fixes to take effect.

The package.json version range is correct, but the yarn.lock file still pins lodash to 4.17.21. Because Yarn prioritises the lock file, the two security patches (prototype pollution and template code injection) will not be installed until the lock file is regenerated. This is a concrete P1 defect on the changed path.

webapp/yarn.lock needs to be updated to resolve lodash to 4.18.1.

Important Files Changed

Filename	Overview
webapp/package.json	Bumps lodash to ^4.18.1 for two security fixes, but webapp/yarn.lock was not updated and still pins 4.17.21, so the security patches won't be installed by yarn install.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Developer runs yarn install] --> B{Does yarn.lock exist?}
    B -- Yes --> C[Yarn reads webapp/yarn.lock]
    C --> D[Resolves lodash → 4.17.21]
    D --> E[❌ Installs lodash 4.17.21\nSecurity fixes NOT applied]
    B -- No --> F[Yarn resolves from package.json\nlodash ^4.18.1]
    F --> G[✅ Installs lodash 4.18.1\nSecurity fixes applied]
    style E fill:#f88,stroke:#c00
    style G fill:#8f8,stroke:#090

Loading

Comments Outside Diff (1)

1. webapp/package.json, line 25 (link)

   fmt script missing file types

   The fmt script only targets *.ts files. Per project conventions, it should also cover .jsx, .json, .css, and .md assets for consistent formatting across the whole webapp.

   Rule Used: Expand the format script in package.json to includ... (source)

   Learnt From
   ever-co/ever-teams#3858

   _{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

_{Reviews (1): Last reviewed commit: "build(deps): bump lodash from 4.17.21 to..." | Re-trigger Greptile}

[greptile-apps]

yarn.lock not updated — security fixes won't install

webapp/yarn.lock still resolves lodash to 4.17.21 (line 5057 of the lock file). When any developer runs yarn install, Yarn reads the lock file and installs the pinned 4.17.21, completely bypassing the ^4.18.1 range in package.json. This means the two security patches shipped in 4.18.0 — prototype pollution via constructor/prototype traversal in _.unset/_.omit (GHSA-f23m-r3pf-42rh) and code injection via imports keys in _.template (GHSA-r5fr-rjxr-66jc / CVE-2026-4800) — will not be applied until the lock file is regenerated.

Rule Used: When updating dependencies via automated PRs (like... (source)

Learnt From
ever-co/ever-traduora#478