chore(deps): bump lodash from 4.17.23 to 4.18.1 (#7225)

* chore(deps): bump lodash from 4.17.23 to 4.18.1

Cherry-pick from Dependabot PR #7218. Fixes prototype pollution via
constructor/prototype path traversal in _.unset/_.omit (GHSA-f23m-r3pf-42rh)
and code injection via _.template imports keys (GHSA-r5fr-rjxr-66jc).

https://claude.ai/code/session_01NbP8MQuSHm7p4Z4uUCRqeg

* chore(deps): fix security vulnerabilities via npm audit fix

Updates transitive dependencies to resolve security advisories:
- follow-redirects 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653)
- path-to-regexp 8.3.0 -> 8.4.2 and 0.1.12 -> 0.1.13 (ReDoS fixes)
- picomatch: updated nested copies to 4.0.4 (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj)
- minimatch: updated app-builder-lib override from vulnerable 10.1.1 to 10.2.5

Remaining items blocked on upstream releases:
- picomatch 4.0.3 (top-level, needs @angular-devkit update)
- undici 7.22.0 (needs @angular/build update)
- vite 7.3.1 (needs @angular/build update)
- minimatch 10.1.1 in glob (needs glob update)

All vulnerabilities are in dev/build tooling only — none affect production.

https://claude.ai/code/session_01NbP8MQuSHm7p4Z4uUCRqeg

---------

Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Johannes Millan 2026-04-14 15:32:05 +02:00 committed by GitHub
parent 35c9f26a64
commit c47ab48eb7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 1341 additions and 689 deletions

View file

@ -282,7 +282,7 @@
},
"overrides": {
"app-builder-lib": {
"minimatch": "10.1.1"
"minimatch": "10.2.5"
}
},
"optionalDependencies": {