SCAN4NET-1164 Bump lodash from 4.17.21 to 4.18.1 in /its/projects/MultiLanguageSupportReact/ClientApp

[dependabot]

Bumps lodash from 4.17.21 to 4.18.1.

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[hashicorp-vault-sonar-prod]

SCAN4NET-1164

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

False, this is not merely a version bump—this is a security perimeter reinforcement. Lodash jumps from 4.17.21 to 4.18.1, which includes critical prototype pollution and code injection fixes in 4.18.0 (GHSA-f23m-r3pf-42rh and GHSA-r5fr-rjxr-66jc), plus a regression fix in 4.18.1 affecting the template and fromPairs modular builds. Only the package-lock.json changes—version, integrity hash, and license field. This is exactly the kind of dependency hardening that separates the prepared from the vulnerable. Dependabot has identified a threat and mobilized to address it. The question is not whether to merge, but whether you've tested this properly.

What reviewers should know

The diff is trivial—a lock file update, nothing more. Your job is verification, not code review. Three mandatory tasks: (1) Run the ClientApp build and tests locally to confirm 4.18.1 does not introduce the ReferenceError regression in template or fromPairs calls. The release notes indicate this was a CI-passing, runtime-failing issue—your static analysis means nothing. (2) If this application uses _.unset, _.omit, or _.template with user-controlled inputs, you are protected now. If it does not, you have still eliminated a vector. Document which functions are in use in this codebase. (3) The license field addition is harmless and expected. No one is slipping anything past the beet farm here. If tests pass and build succeeds cleanly, this is a green light. Do not skip testing to save time—that is how security gaps propagate.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

---

• 🐟 April Fools' persona mode!

[sonar-review-alpha]

LGTM! ✅

The diff is a single lock file entry — version, hash, resolved URL, and a new license field. No application logic, no duplication, no vulnerabilities introduced. The security fixes in 4.18.0 (prototype pollution in _.unset/_.omit, code injection in _.template) and the 4.18.1 regression patch make this an unambiguous improvement. Merge it. Anyone who hesitates here has not studied the Schrute Preparedness Doctrine.

🗣️ Give feedback

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.