Skip to content

[Aikido] Fix 2 security issues in lodash-es, glob#21

Open
aikido-autofix[bot] wants to merge 1 commit into
11.xfrom
fix/aikido-security-update-packages-56280303-ej6s
Open

[Aikido] Fix 2 security issues in lodash-es, glob#21
aikido-autofix[bot] wants to merge 1 commit into
11.xfrom
fix/aikido-security-update-packages-56280303-ej6s

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 27, 2026

Copy link
Copy Markdown

Upgrade lodash-es and glob to fix RCE vulnerabilities in template injection and command execution, and prevent prototype pollution attacks.

✅ Code not affected by breaking changes.

✅ No breaking changes affect this codebase. The search found no usages of _.unset, _.omit, or _.template methods in the source code. The only lodash references found were in vendor/assets directories (CKEditor bundles), which are third-party dependencies not directly affected by this upgrade.

All breaking changes by upgrading lodash-es from version 4.17.21 to 4.18.1 (CHANGELOG)

Version Description
4.18.0
_.unset / _.omit: constructor and prototype are now blocked unconditionally as non-terminal path keys. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0
_.template: imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template" error, where previously they were accepted.
✅ 2 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-4800
HIGH
[lodash-es] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-64756
MEDIUM
[glob] A command injection vulnerability in the CLI's -c/--cmd option allows arbitrary code execution when processing files with malicious names, as matched filenames are passed to a shell with shell metacharacters interpreted.
🤖 Remediation details

Fix CVE-2025-64756 (glob) and CVE-2026-4800 (lodash-es, lodash) in core dependencies

Short summary

This PR fixes two security advisories affecting glob, lodash-es, and lodash in core/package.json and core/yarn.lock. The direct glob devDependency was bumped, the transitive glob@10.x and lodash lockfile entries were refreshed (parent ranges already permitted patched versions), and a resolutions override was added for lodash-es because all CKEditor5 parents pin it at an exact version that Yarn cannot override any other way.

glob

glob appears in the lockfile at two vulnerable version branches. The direct devDependency was bumped from the exact pin 11.0.0 to 11.1.0 in core/package.json, resolving the 11.x instance. The transitive instance at 10.3.10 — pulled in by cacache (^10.2.2) and node-gyp (^10.3.10) — was resolved to 10.5.0 via a lockfile-only refresh (yarn up -R glob); both parent ranges already permitted >=10.5.0 so no manifest edit was needed. A pre-existing resolutions["glob/jackspeak"] pin was removed as it became stale after the glob@11.x upgrade.

lodash-es

lodash-es@4.17.21 is a transitive dependency pulled in by 24 CKEditor5 packages (e.g. @ckeditor/ckeditor5-utils, @ckeditor/ckeditor5-core, all at ~42.0.2), each of which declares it as an exact version pin "4.17.21" with no caret or tilde. Because Yarn Berry cannot override exact pins via yarn up, a resolutions entry "lodash-es": "4.18.1" was added to the root core/package.json and the lockfile was refreshed, moving the resolved version to 4.18.1. No CKEditor5 parent version bump was required.

lodash

lodash@4.17.21 is a transitive dependency shared by eslint-plugin-yml (^4.17.21), stylelint-checkstyle-formatter (^4.17.10), and yaml-eslint-parser (^4.17.21). All three parent ranges already permitted 4.18.x, so a lockfile-only refresh (yarn up -R lodash) was sufficient to move the resolved version to 4.18.1 with no manifest changes.

Version changes

Package From To Why updated
glob (direct, core/package.json) 11.0.0 11.1.0 Direct CVE fix (CVE-2025-64756)
glob (transitive, lockfile ^10.2.2/^10.3.10) 10.3.10 10.5.0 Lockfile refresh — transitive CVE fix (CVE-2025-64756) via cacache / node-gyp
lodash-es 4.17.21 4.18.1 Override (resolutions) — CVE fix (CVE-2026-4800); exact-pinned by CKEditor5 parents
lodash 4.17.21 4.18.1 Lockfile refresh — transitive CVE fix (CVE-2026-4800) via eslint-plugin-yml, stylelint-checkstyle-formatter, yaml-eslint-parser
minimatch (lockfile, ^9.x) 9.0.3 9.0.9 Lockfile refresh — pulled in alongside glob@10.5.0
lru-cache (lockfile, ^10.x) 10.1.0 10.4.3 Lockfile refresh — pulled in alongside glob@10.5.0
path-scurry (lockfile) 1.10.1 1.11.1 Lockfile refresh — pulled in alongside glob@10.5.0
jackspeak (lockfile, ^2.1.1 resolution) 2.1.1 removed Stale glob/jackspeak resolution removed after glob@11.x upgrade
brace-expansion (lockfile, ^2.x) 2.1.1 Lockfile refresh — new transitive dep of glob@10.5.0

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Jun 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants