Skip to content

chore(deps): update lodash to version 4.17.23 across all packages to fix prototype pollution issue#6037

Open
andleebsyed wants to merge 3 commits into
ianstormtaylor:mainfrom
andleebsyed:fix/security-lodash-prototype-pollution
Open

chore(deps): update lodash to version 4.17.23 across all packages to fix prototype pollution issue#6037
andleebsyed wants to merge 3 commits into
ianstormtaylor:mainfrom
andleebsyed:fix/security-lodash-prototype-pollution

Conversation

@andleebsyed

@andleebsyed andleebsyed commented Mar 30, 2026

Copy link
Copy Markdown

Description
This PR bumps lodash from 4.17.21 to 4.17.23 in the root workspace and in packages that declare it as a devDependency (slate, slate-dom, slate-history, slate-react).

Why

4.17.23 includes a security fix for prototype pollution in _.unset and _.omit, tracked as CVE-2025-13465 (GitHub advisory). It can also be seen in Snyk Vulnerability Database. Upgrade to 4.17.23 is needed to fix this.

Lodash’s own changelog documents this release:

lodash wiki — v4.17.23 — notes the _.unset / _.omit fix and links the advisory above.

Checks

  • The new code matches the existing patterns and styles.
  • The tests pass with yarn test.
  • The linter passes with yarn lint. (Fix errors with yarn fix.)
  • The relevant examples still work. (Run examples with yarn start.)
  • You've added a changeset if changing functionality. (Add one with yarn changeset add.)

@changeset-bot

changeset-bot Bot commented Mar 30, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: b52e9fd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
slate Patch
slate-dom Patch
slate-history Patch
slate-react Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@andleebsyed andleebsyed marked this pull request as ready for review March 30, 2026 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant