Bump lodash-es from 4.17.4 to 4.18.1 in /PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux

[dependabot]

Bumps lodash-es from 4.17.4 to 4.18.1.

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[semgrep-code-squarespace]

Semgrep found 1 ssc-14f6c9a3-9712-488d-aa61-02218488adef finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L4441 - Triage

Risk: This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.

Fix: Upgrade this library to at least version 1.2.11 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:4441.

Reference(s): https://osv.dev/vulnerability/MAL-2023-462

Semgrep found 1 ssc-7655e34f-47d3-43f6-b687-32e02f3c8005 finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L5921 - Triage

Risk: Affected versions of handlebars are vulnerable to Improper Control of Generation of Code ('Code Injection') / Improper Encoding or Escaping of Output / Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The Handlebars CLI precompiler allows arbitrary JavaScript injection by embedding unescaped template filenames and CLI option values such as --namespace, --commonjs, and --handlebarPath directly into generated output. An attacker who can control these inputs can cause malicious code to execute when the precompiled bundle is loaded in Node.js or a browser.

Manual Review Advice: A vulnerability from this advisory is reachable if you execute templates through the Handlebars CLI precompiler

Fix: Upgrade this library to at least version 4.7.9 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:5921.

Reference(s): GHSA-xjpj-3mr7-gcpf, CVE-2026-33941

Semgrep found 1 ssc-c5a69759-0cfc-41b4-aa6c-ae584bd301a6 finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L12860 - Triage

Risk: Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack-dev-server with Hot Module Replacement enabled (i.e. using the --hot argument)

Fix: Upgrade this library to at least version 3.1.11 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12860.

Reference(s): GHSA-cf66-xwfp-gvc4, CVE-2018-14732

Semgrep found 1 ssc-783d6282-b329-42de-b9e3-741ae63ddaa7 finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L6292 - Triage

Risk: Affected versions of http-proxy are vulnerable to Incomplete List of Disallowed Inputs / Protection Mechanism Failure. A denial-of-service exists in node-http-proxy when using proxyReq.setHeader: an HTTP request with a body longer than ~1024 bytes triggers an unhandled ERR_HTTP_HEADERS_SENT exception that crashes the proxy server.

Manual Review Advice: A vulnerability from this advisory is reachable if you set headers on the proxy request using the proxyReq.setHeader function in a standalone proxy server implemented using the http-proxy package

Fix: Upgrade this library to at least version 1.18.1 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:6292.

Reference(s): GHSA-6x33-pw7p-hmpq

Semgrep found 1 ssc-ae0261cf-6ee1-4026-8199-9d51d98e7718 finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L12441 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js uses a vulnerable regular expression to parse User-Agent headers. A malicious header can trigger catastrophic backtracking in the regex, resulting in prolonged processing times and potential denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.24 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12441.

Reference(s): GHSA-78cj-fxph-m83p, CVE-2021-27292

Semgrep found 1 ssc-00f64d4f-00eb-4fb4-845e-f30d8f6ed59e finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L12441 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. A specially crafted user agent string can trigger catastrophic backtracking in the regex designed for Redmi Phones and Mi Pad Tablets. This may result in a Regular Expression Denial of Service, causing resource exhaustion when ua-parser-js attempts to parse the malicious input.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.22 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12441.

Reference(s): GHSA-662x-fhqg-9p8v, CVE-2020-7733

Semgrep found 1 ssc-dbb9eafa-1a18-4071-96d8-a06789849c96 finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L12441 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. Maliciously crafted user agent strings can trigger inefficient regex patterns, leading to excessive backtracking and high CPU consumption, which may ultimately cause service degradation or a denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.23 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12441.

Reference(s): GHSA-394c-5j6w-4xmx, CVE-2020-7793

Semgrep found 1 ssc-6b25e01f-0c74-4dc1-a6c4-3d650baba180 finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L12311 - Triage

Risk: tmpl versions before 1.0.5 are vulnerable to Uncontrolled Resource Consumption when formatting a string.

Fix: Upgrade this library to at least version 1.0.5 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:12311.

Reference(s): GHSA-jgrx-mgxx-jf9v, CVE-2021-3777

Semgrep found 1 ssc-17eda294-146f-4ed3-91f7-5ef1b349d687 finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L1432 - Triage

Risk: Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

Manual Review Advice: A vulnerability from this advisory is reachable if you use Babel to compile untrusted JavaScript

Fix: There are no safe versions of this library available for upgrade. Library included at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:1432.

Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133

Semgrep found 1 ssc-1606921e-eb4c-4a25-bcec-3cbfbc985ee1 finding:

• PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json
  • L2886 - Triage

Risk: Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.

Fix: Upgrade this library to at least version 0.5.1 at WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react-redux/package-lock.json:2886.

Reference(s): GHSA-hr2v-3952-633q, CVE-2018-3750