fix: Bump lodash from 4.17.23 to 4.18.1

[mtrezza]

Bumps lodash from 4.17.23 to 4.18.1.

Security Fixes

• GHSA-r5fr-rjxr-66jc (high): Code injection via _.template imports keys. Incomplete patch for CVE-2021-23337. imports keys containing forbidden identifier characters now throw an error.
• GHSA-f23m-r3pf-42rh (medium): Prototype pollution in _.unset / _.omit via constructor/prototype path traversal. constructor and prototype are now blocked unconditionally as non-terminal path keys.

Bug Fixes (4.18.1)

• Fixes ReferenceError in _.template and _.fromPairs when using modular builds.

Changes

• package.json: lodash 4.17.23 -> 4.18.1
• package-lock.json: updated accordingly

Closes #10386

Summary by CodeRabbit

• Chores
  • Updated lodash library dependency to the latest stable version.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9f3ad2cb-8cc0-44f8-8389-7af4e1a2b303

📥 Commits

Reviewing files that changed from the base of the PR and between 0508874 and d924c3c.

📒 Files selected for processing (2)

• package-lock.json
• package.json

---

📝 Walkthrough

Walkthrough

Updates lodash dependency from version 4.17.23 to 4.18.1 in package.json and package-lock.json, incorporating security fixes and bug corrections from the upstream release.

Changes

Cohort / File(s)	Summary
Dependency Update package.json, package-lock.json	Bumped lodash from 4.17.23 to 4.18.1, updating resolved tarball URLs and integrity hashes. The new version includes security patches for prototype pollution in _.unset/_.omit and code injection in _.template, plus bug fixes for modular builds.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Engage In Review Feedback	❓ Inconclusive	Cannot assess custom check without access to GitHub PR #10393 review comments and discussions.	Access GitHub PR #10393 directly to review comments section and verify if reviewers provided feedback.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'fix: Bump lodash from 4.17.23 to 4.18.1' begins with the 'fix:' prefix and accurately describes the main change: bumping the lodash dependency to a version with security fixes.
Description check	✅ Passed	The PR description provides detailed information about the lodash bump, including security fixes, bug fixes, and changes to package files, though it deviates from the template structure.
Linked Issues check	✅ Passed	The PR successfully addresses issue #10386 by updating lodash to 4.18.1, applying all required security and bug fixes documented in the linked issue.
Out of Scope Changes check	✅ Passed	All changes in the PR are directly related to the lodash dependency bump objective; only package.json and package-lock.json were modified as required.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	PR updates lodash to 4.18.1, patching GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh vulnerabilities with no application code changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Checkov (3.2.510)

package.json

2026-04-03 17:19:09,245 [MainThread ] [ERROR] Template file not found: package.json
2026-04-03 17:19:09,251 [MainThread ] [ERROR] Template file not found: package.json
2026-04-03 17:19:09,253 [MainThread ] [ERROR] Template file not found: package.json
2026-04-03 17:19:09,304 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with package.json
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/ope

... [truncated 2547 characters] ...

[MainThread ] [WARNI] Secret scanning: could not process file package.json
2026-04-03 17:19:09,347 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.51%. Comparing base (0508874) to head (d924c3c).
⚠️ Report is 2 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10393   +/-   ##
=======================================
  Coverage   92.51%   92.51%           
=======================================
  Files         192      192           
  Lines       16624    16624           
  Branches      229      229           
=======================================
  Hits        15379    15379           
  Misses       1223     1223           
  Partials       22       22           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.8.0-alpha.3