From aa2d25f2f66a66a22a722e53a7263d933800c320 Mon Sep 17 00:00:00 2001 From: Andriy Lysyuk Date: Mon, 6 Apr 2026 16:22:20 +0200 Subject: [PATCH] fix: bump lodash to 4.18.1 to remediate CVE-2026-4800 lodash <4.18.0 allows code injection via unsanitised options.imports key names in _.template(). Fixed in 4.18.0. Resolves ENG-14004. Co-Authored-By: Claude Sonnet 4.6 --- zapier/package-lock.json | 8 ++++---- zapier/package.json | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/zapier/package-lock.json b/zapier/package-lock.json index a0038231..04a4392f 100644 --- a/zapier/package-lock.json +++ b/zapier/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.5", "dependencies": { "agentql-js-common": "^0.0.1", - "lodash": ">=4.17.23", + "lodash": ">=4.18.0", "zapier-platform-core": "^17" }, "devDependencies": { @@ -3191,9 +3191,9 @@ } }, "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "license": "MIT" }, "node_modules/lodash.isplainobject": { diff --git a/zapier/package.json b/zapier/package.json index fcac43d1..2cad15e5 100644 --- a/zapier/package.json +++ b/zapier/package.json @@ -9,13 +9,13 @@ "dependencies": { "agentql-js-common": "^0.0.1", "zapier-platform-core": "^17", - "lodash": ">=4.17.23" + "lodash": ">=4.18.0" }, "devDependencies": { "jest": "^29.6.0" }, "overrides": { - "lodash": ">=4.17.23", + "lodash": ">=4.18.0", "minimatch": "^3.1.3", "picomatch": "^2.3.2" },