chore(deps): update dependency lodash to v4.17.23 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
lodash (source)	4.17.21 → 4.17.23

GitHub Vulnerability Alerts

CVE-2025-13465

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

---

Release Notes

lodash/lodash (lodash)

v4.17.23

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[dcroote]

Relates to #1777.

The DX isn't great on renovate security updates with minimum release age set: it requires the package to be added to pnpm-workspace.yaml like shown here. Do you know of another solution @mcoetzee or @Siegrift ? I tried by directly updating package.json and pnpm threw the same error:

 ERR_PNPM_NO_MATURE_MATCHING_VERSION  Version 4.17.23 (released 5 days ago) of lodash does not meet the minimumReleaseAge constraint

This error happened while installing a direct dependency of /home/derek/ois

The latest release of lodash is "4.17.23". Published at 1/21/2026

If you need the full list of all 115 published versions run "$ pnpm view lodash versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting

Here the lodash security update is pretty low severity, but still it might be annoying that this is the solution to any security update.

[Siegrift]

Feels acceptable to me 🤔

[mcoetzee]

The only mechanism to get around minimumReleaseAge during dependency resolution is minimumReleaseAgeExclude afailk. Renovate is smart enough to automatically add the exclusion, so the DX could be worse, but yeah I agree with Emanuel. It feels like an acceptable trade-off considering it helps mitigate the growing threat of supply chain attacks.

[dcroote]

Haha ok you guys are right. I don't know why having extra line appear in this workspace file annoyed me. I guess it'd be cool if after the package release age passed the minimum, renovate realized it in a future PR and removed the line, but even if not it's fine.