From 1ac38d0029e4bd487cbfb5891f21707b1300fb49 Mon Sep 17 00:00:00 2001 From: Sunny Wu Date: Tue, 7 Apr 2026 11:38:28 +1000 Subject: [PATCH] UID2-6871: Fix CVE-2026-4800 by upgrading lodash to 4.18.1 Add lodash override (^4.18.0) in package.json overrides for both react-client-side apps to resolve CVE-2026-4800 in the transitive lodash@4.17.21 dependency. Regenerated lockfiles confirm lodash@4.18.1 is now installed in place of 4.17.21. Co-Authored-By: Claude Sonnet 4.6 --- .../react-client-side/package-lock.json | 22 ++++++++++++++++--- .../react-client-side/package.json | 3 ++- .../react-client-side/package-lock.json | 22 ++++++++++++++++--- .../react-client-side/package.json | 3 ++- 4 files changed, 42 insertions(+), 8 deletions(-) diff --git a/web-integrations/google-secure-signals/react-client-side/package-lock.json b/web-integrations/google-secure-signals/react-client-side/package-lock.json index 259a43e..c7287f0 100644 --- a/web-integrations/google-secure-signals/react-client-side/package-lock.json +++ b/web-integrations/google-secure-signals/react-client-side/package-lock.json @@ -10561,9 +10561,9 @@ } }, "node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==" }, "node_modules/lodash.debounce": { "version": "4.0.8", @@ -15295,6 +15295,22 @@ } } }, + "node_modules/tailwindcss/node_modules/yaml": { + "version": "2.8.3", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz", + "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==", + "optional": true, + "peer": true, + "bin": { + "yaml": "bin.mjs" + }, + "engines": { + "node": ">= 14.6" + }, + "funding": { + "url": "https://github.com/sponsors/eemeli" + } + }, "node_modules/tapable": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz", diff --git a/web-integrations/google-secure-signals/react-client-side/package.json b/web-integrations/google-secure-signals/react-client-side/package.json index 9f89832..bd1676c 100644 --- a/web-integrations/google-secure-signals/react-client-side/package.json +++ b/web-integrations/google-secure-signals/react-client-side/package.json @@ -36,7 +36,8 @@ "underscore": "^1.13.8", "flatted": "^3.4.2", "path-to-regexp@0": "0.1.13", - "picomatch": "^2.3.2" + "picomatch": "^2.3.2", + "lodash": "^4.18.0" }, "scripts": { "start": "node server.js", diff --git a/web-integrations/javascript-sdk/react-client-side/package-lock.json b/web-integrations/javascript-sdk/react-client-side/package-lock.json index 7b70972..4cf8878 100644 --- a/web-integrations/javascript-sdk/react-client-side/package-lock.json +++ b/web-integrations/javascript-sdk/react-client-side/package-lock.json @@ -10533,9 +10533,9 @@ } }, "node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==" }, "node_modules/lodash.debounce": { "version": "4.0.8", @@ -15263,6 +15263,22 @@ } } }, + "node_modules/tailwindcss/node_modules/yaml": { + "version": "2.8.3", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz", + "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==", + "optional": true, + "peer": true, + "bin": { + "yaml": "bin.mjs" + }, + "engines": { + "node": ">= 14.6" + }, + "funding": { + "url": "https://github.com/sponsors/eemeli" + } + }, "node_modules/tapable": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz", diff --git a/web-integrations/javascript-sdk/react-client-side/package.json b/web-integrations/javascript-sdk/react-client-side/package.json index c832b32..2becb05 100644 --- a/web-integrations/javascript-sdk/react-client-side/package.json +++ b/web-integrations/javascript-sdk/react-client-side/package.json @@ -36,7 +36,8 @@ "underscore": "^1.13.8", "flatted": "^3.4.2", "path-to-regexp@0": "0.1.13", - "picomatch": "^2.3.2" + "picomatch": "^2.3.2", + "lodash": "^4.18.0" }, "scripts": { "start": "node server.js",