Skip to content

chore(deps): update dependency lodash to v4.17.23 [security] #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dcroote merged 2 commits into from
Jan 27, 2026
Merged

chore(deps): update dependency lodash to v4.17.23 [security] #280

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9081b26
chore(deps): update dependency lodash to v4.17.23 [security]
renovate[bot] Jan 23, 2026
f5dc693
chore: bump @types/lodash
dcroote Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/tame-horses-sing.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@api3/ois': patch
---

chore(deps): update dependency lodash
4 changes: 2 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
"@api3/eslint-plugin-commons": "^3.0.0",
"@changesets/cli": "^2.29.7",
"@types/jest": "^30.0.0",
"@types/lodash": "^4.17.20",
"@types/lodash": "^4.17.23",
"@types/node": "^20.19.24",
"eslint": "^8.57.1",
"husky": "^9.1.7",
Expand All @@ -48,7 +48,7 @@
"typescript": "^5.9.3"
},
"dependencies": {
"lodash": "^4.17.21",
"lodash": "^4.17.23",
"zod": "^4.0.5"
}
}
24 changes: 12 additions & 12 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions pnpm-workspace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# See: https://pnpm.io/supply-chain-security
blockExoticSubdeps: true
minimumReleaseAge: 20160 # 14 days (keep in sync with Renovate config)
minimumReleaseAgeExclude:
# Renovate security update: lodash@4.17.23
- lodash@4.17.23
Comment on lines +4 to +6
Copy link
Contributor

@dcroote dcroote Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relates to #1777.

The DX isn't great on renovate security updates with minimum release age set: it requires the package to be added to pnpm-workspace.yaml like shown here. Do you know of another solution @mcoetzee or @Siegrift ? I tried by directly updating package.json and pnpm threw the same error:

 ERR_PNPM_NO_MATURE_MATCHING_VERSION  Version 4.17.23 (released 5 days ago) of lodash does not meet the minimumReleaseAge constraint

This error happened while installing a direct dependency of /home/derek/ois

The latest release of lodash is "4.17.23". Published at 1/21/2026

If you need the full list of all 115 published versions run "$ pnpm view lodash versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting

Here the lodash security update is pretty low severity, but still it might be annoying that this is the solution to any security update.

Copy link
Contributor

@Siegrift Siegrift Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels acceptable to me 🤔

Copy link
Contributor

@mcoetzee mcoetzee Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only mechanism to get around minimumReleaseAge during dependency resolution is minimumReleaseAgeExclude afailk. Renovate is smart enough to automatically add the exclusion, so the DX could be worse, but yeah I agree with Emanuel. It feels like an acceptable trade-off considering it helps mitigate the growing threat of supply chain attacks.

Copy link
Contributor

@dcroote dcroote Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haha ok you guys are right. I don't know why having extra line appear in this workspace file annoyed me. I guess it'd be cool if after the package release age passed the minimum, renovate realized it in a future PR and removed the line, but even if not it's fine.