fix(security): bump lodash from ~4.17.23 to ~4.18.0#833
Merged
Kikobeats merged 5 commits intomicrolinkhq:masterfrom Apr 14, 2026
Merged
fix(security): bump lodash from ~4.17.23 to ~4.18.0#833Kikobeats merged 5 commits intomicrolinkhq:masterfrom
Kikobeats merged 5 commits intomicrolinkhq:masterfrom
Conversation
lodash ~4.17.23 is affected by two security vulnerabilities patched in 4.18.0: - Code injection via _.template imports key names (bypass of the CVE-2021-23337 fix — untrusted imports key names flow into the same Function() sink as the variable option) - Prototype pollution via array path bypass in _.unset / _.omit (array-wrapped segments bypass the string-only guard introduced in CVE-2025-13465) Widen the range to ^4.18.0 in @metascraper/helpers, metascraper-iframe, and metascraper-logo so consumers can resolve to the patched version without resorting to overrides/resolutions. Closes microlinkhq#832
Kikobeats
changed the title
The load-iframe 'markup is correct' test was snapshotting the entire HTML from a live third-party URL, causing frequent failures whenever Transistor updated their player markup or asset hashes. Replace the snapshot with structural assertions that verify the iframe loads correctly without being coupled to third-party markup details.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Widens the
lodashdependency range from~4.17.23to^4.18.0in three packages to resolve two security vulnerabilities patched in lodash 4.18.0.Closes #832
Vulnerabilities fixed
Code injection via
_.templateimports key names (High severity)The fix for CVE-2021-23337 validated the
variableoption in_.templatebut leftoptions.importskey names unvalidated — both paths flow into the sameFunction()constructor sink. An attacker who controls imports key names can execute arbitrary code at template compilation time. Additionally,assignInWithwas used to merge imports, which enumerates inherited properties viafor..in, making prototype-polluted keys reachable.Patched in 4.18.0 by:
importsKeysagainstreForbiddenIdentifierCharsassignInWithwithassignWith(own properties only)Prototype pollution via array path bypass in
_.unset/_.omit(Medium severity)The patch for CVE-2025-13465 only guarded against string key members. Passing array-wrapped path segments bypasses the check, allowing deletion of properties from
Object.prototype,Number.prototype, andString.prototype.Patched in 4.18.0.
Packages changed
@metascraper/helpers~4.17.23^4.18.0metascraper-iframe~4.17.23^4.18.0metascraper-logo~4.17.23^4.18.0Compatibility
lodash 4.18.0 is a semver-minor release — fully backwards compatible with 4.17.x. No API changes affect the usage in these packages.