[Aikido] Fix 2 security issues in lodash-es, glob#21
Open
aikido-autofix[bot] wants to merge 1 commit into
Open
[Aikido] Fix 2 security issues in lodash-es, glob#21aikido-autofix[bot] wants to merge 1 commit into
aikido-autofix[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade lodash-es and glob to fix RCE vulnerabilities in template injection and command execution, and prevent prototype pollution attacks.
✅ Code not affected by breaking changes.
✅ No breaking changes affect this codebase. The search found no usages of
_.unset,_.omit, or_.templatemethods in the source code. The only lodash references found were in vendor/assets directories (CKEditor bundles), which are third-party dependencies not directly affected by this upgrade.All breaking changes by upgrading lodash-es from version 4.17.21 to 4.18.1 (CHANGELOG)
_.unset/_.omit:constructorandprototypeare now blocked unconditionally as non-terminal path keys. Calls that previously returnedtrueand deleted the property now returnfalseand leave the target untouched._.template:importskeys containing forbidden identifier characters now throw"Invalid imports option passed into _.template"error, where previously they were accepted.✅ 2 CVEs resolved by this upgrade
This PR will resolve the following CVEs:
🤖 Remediation details
Fix CVE-2025-64756 (glob) and CVE-2026-4800 (lodash-es, lodash) in core dependencies
Short summary
This PR fixes two security advisories affecting
glob,lodash-es, andlodashincore/package.jsonandcore/yarn.lock. The directglobdevDependency was bumped, the transitiveglob@10.xandlodashlockfile entries were refreshed (parent ranges already permitted patched versions), and aresolutionsoverride was added forlodash-esbecause all CKEditor5 parents pin it at an exact version that Yarn cannot override any other way.glob
globappears in the lockfile at two vulnerable version branches. The direct devDependency was bumped from the exact pin11.0.0to11.1.0incore/package.json, resolving the11.xinstance. The transitive instance at10.3.10— pulled in bycacache(^10.2.2) andnode-gyp(^10.3.10) — was resolved to10.5.0via a lockfile-only refresh (yarn up -R glob); both parent ranges already permitted>=10.5.0so no manifest edit was needed. A pre-existingresolutions["glob/jackspeak"]pin was removed as it became stale after theglob@11.xupgrade.lodash-es
lodash-es@4.17.21is a transitive dependency pulled in by 24 CKEditor5 packages (e.g.@ckeditor/ckeditor5-utils,@ckeditor/ckeditor5-core, all at~42.0.2), each of which declares it as an exact version pin"4.17.21"with no caret or tilde. Because Yarn Berry cannot override exact pins viayarn up, aresolutionsentry"lodash-es": "4.18.1"was added to the rootcore/package.jsonand the lockfile was refreshed, moving the resolved version to4.18.1. No CKEditor5 parent version bump was required.lodash
lodash@4.17.21is a transitive dependency shared byeslint-plugin-yml(^4.17.21),stylelint-checkstyle-formatter(^4.17.10), andyaml-eslint-parser(^4.17.21). All three parent ranges already permitted4.18.x, so a lockfile-only refresh (yarn up -R lodash) was sufficient to move the resolved version to4.18.1with no manifest changes.Version changes
glob(direct,core/package.json)11.0.011.1.0glob(transitive, lockfile^10.2.2/^10.3.10)10.3.1010.5.0cacache/node-gyplodash-es4.17.214.18.1resolutions) — CVE fix (CVE-2026-4800); exact-pinned by CKEditor5 parentslodash4.17.214.18.1eslint-plugin-yml,stylelint-checkstyle-formatter,yaml-eslint-parserminimatch(lockfile,^9.x)9.0.39.0.9glob@10.5.0lru-cache(lockfile,^10.x)10.1.010.4.3glob@10.5.0path-scurry(lockfile)1.10.11.11.1glob@10.5.0jackspeak(lockfile,^2.1.1resolution)2.1.1glob/jackspeakresolution removed afterglob@11.xupgradebrace-expansion(lockfile,^2.x)2.1.1glob@10.5.0