[SNYK: Medium] Prototype Pollution async@2.6.4 (Due: 04/30/2026) #6486
Description
Overview
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.
Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.
Action
Your dependencies are out of date, otherwise you would be using a newer lodash than lodash@4.17.21. Try relocking your lockfile or deleting node_modules. If the problem persists, one of your dependencies may be bundling outdated modules.
Completion criteria
- node_modules are build fresh
- In package.json upgrade lodash version @4.17.23 or latest