Skip to content

fix(deps): update dependency lodash to v4.17.23 [security]#1080

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-lodash-vulnerability
Open

fix(deps): update dependency lodash to v4.17.23 [security]#1080
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-lodash-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 22, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
lodash (source) 4.17.214.17.23 age confidence

GitHub Vulnerability Alerts

CVE-2025-13465

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Release Notes

lodash/lodash (lodash)

v4.17.23

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner January 22, 2026 21:40
@renovate renovate bot requested review from jpetto and removed request for a team January 22, 2026 21:40
@renovate renovate bot enabled auto-merge (squash) January 22, 2026 21:40
@github-actions
Copy link

github-actions bot commented Jan 22, 2026
edited
Loading

Plan Result (@infrastructure/shareable-lists-api-production)

CI link

No changes. Your infrastructure matches the configuration.

@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch 5 times, most recently from 3d4884a to d8a46e2 Compare January 28, 2026 15:58
@github-actions
Copy link

github-actions bot commented Jan 28, 2026
edited
Loading

Plan Result (@infrastructure/pocket-event-bridge-production)

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 0 to add, 0 to change, 1 to destroy.
  • Delete
    • aws_cloudwatch_event_bus.shared-event-bus_event-bus-PocketEventBridge-Prod-Shared-Event-Bus_AA9ACCF5
Change Result (Click me) 
  # aws_cloudwatch_event_bus.shared-event-bus_event-bus-PocketEventBridge-Prod-Shared-Event-Bus_AA9ACCF5 will be destroyed
  # (because aws_cloudwatch_event_bus.shared-event-bus_event-bus-PocketEventBridge-Prod-Shared-Event-Bus_AA9ACCF5 is not in configuration)
  - resource "aws_cloudwatch_event_bus" "shared-event-bus_event-bus-PocketEventBridge-Prod-Shared-Event-Bus_AA9ACCF5" {
      - arn                = "arn:aws:events:us-east-1:996905175585:event-bus/PocketEventBridge-Prod-Shared-Event-Bus" -> null
      - id                 = "PocketEventBridge-Prod-Shared-Event-Bus" -> null
      - name               = "PocketEventBridge-Prod-Shared-Event-Bus" -> null
      - tags               = {
          - "app_code"       = "pocket-content-shared"
          - "component_code" = "pocket-content-shared-pocketeventbridge"
          - "costCenter"     = "Shared"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "PocketEventBridge"
        } -> null
      - tags_all           = {
          - "app_code"       = "pocket-content-shared"
          - "component_code" = "pocket-content-shared-pocketeventbridge"
          - "costCenter"     = "Shared"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "PocketEventBridge"
        } -> null
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 0 to change, 1 to destroy.

⚠️ Errors

  • failed to add a label @infrastructure/pocket-event-bridge-production/destroy: label name is too long (max: 50)

@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from d8a46e2 to bcc5952 Compare January 28, 2026 20:18
@github-actions
Copy link

github-actions bot commented Jan 28, 2026

Plan Result (@infrastructure/shares-api-production)

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 0 to add, 0 to change, 2 to destroy.
  • Delete
    • aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0
    • aws_s3_bucket.synthetics_synthetics_synthetic_check_artifacts_53DD59E6
Change Result (Click me) 
  # aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0 will be destroyed
  # (because aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0 is not in configuration)
  - resource "aws_ecr_repository" "application_ecs_service_ecr-app_ecr-repo_ABFE17F0" {
      - arn                  = "arn:aws:ecr:us-east-1:996905175585:repository/sharesapi-prod-app" -> null
      - id                   = "sharesapi-prod-app" -> null
      - image_tag_mutability = "MUTABLE" -> null
      - name                 = "sharesapi-prod-app" -> null
      - registry_id          = "996905175585" -> null
      - repository_url       = "996905175585.dkr.ecr.us-east-1.amazonaws.com/sharesapi-prod-app" -> null
      - tags                 = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-sharesapi"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "SharesAPI"
        } -> null
      - tags_all             = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-sharesapi"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "SharesAPI"
        } -> null

      - encryption_configuration {
          - encryption_type = "AES256" -> null
            # (1 unchanged attribute hidden)
        }

      - image_scanning_configuration {
          - scan_on_push = true -> null
        }
    }

  # aws_s3_bucket.synthetics_synthetics_synthetic_check_artifacts_53DD59E6 will be destroyed
  # (because aws_s3_bucket.synthetics_synthetics_synthetic_check_artifacts_53DD59E6 is not in configuration)
  - resource "aws_s3_bucket" "synthetics_synthetics_synthetic_check_artifacts_53DD59E6" {
      - arn                         = "arn:aws:s3:::pocket-sharesapi-prod-synthetic-checks" -> null
      - bucket                      = "pocket-sharesapi-prod-synthetic-checks" -> null
      - bucket_domain_name          = "pocket-sharesapi-prod-synthetic-checks.s3.amazonaws.com" -> null
      - bucket_regional_domain_name = "pocket-sharesapi-prod-synthetic-checks.s3.us-east-1.amazonaws.com" -> null
      - force_destroy               = false -> null
      - hosted_zone_id              = "Z3AQBSTGFYJSTF" -> null
      - id                          = "pocket-sharesapi-prod-synthetic-checks" -> null
      - object_lock_enabled         = false -> null
      - region                      = "us-east-1" -> null
      - request_payer               = "BucketOwner" -> null
      - tags                        = {} -> null
      - tags_all                    = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-sharesapi"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "SharesAPI"
        } -> null
        # (3 unchanged attributes hidden)

      - grant {
          - id          = "92f1efb5501a01f6ebb8e3628131c3483688d3e5ca1a7c175420c565a06a6616" -> null
          - permissions = [
              - "FULL_CONTROL",
            ] -> null
          - type        = "CanonicalUser" -> null
            # (1 unchanged attribute hidden)
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

      - versioning {
          - enabled    = false -> null
          - mfa_delete = false -> null
        }
    }

Plan: 0 to add, 0 to change, 2 to destroy.

@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from bcc5952 to 04f4fc8 Compare January 28, 2026 20:55
@github-actions
Copy link

github-actions bot commented Jan 28, 2026

Plan Result (@infrastructure/user-api-production)

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 0 to add, 0 to change, 1 to destroy.
  • Delete
    • aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0
Change Result (Click me) 
  # aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0 will be destroyed
  # (because aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0 is not in configuration)
  - resource "aws_ecr_repository" "application_ecs_service_ecr-app_ecr-repo_ABFE17F0" {
      - arn                  = "arn:aws:ecr:us-east-1:996905175585:repository/userapi-prod-app" -> null
      - id                   = "userapi-prod-app" -> null
      - image_tag_mutability = "MUTABLE" -> null
      - name                 = "userapi-prod-app" -> null
      - registry_id          = "996905175585" -> null
      - repository_url       = "996905175585.dkr.ecr.us-east-1.amazonaws.com/userapi-prod-app" -> null
      - tags                 = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-userapi"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "UserAPI"
        } -> null
      - tags_all             = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-userapi"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "UserAPI"
        } -> null

      - encryption_configuration {
          - encryption_type = "AES256" -> null
            # (1 unchanged attribute hidden)
        }

      - image_scanning_configuration {
          - scan_on_push = true -> null
        }
    }

Plan: 0 to add, 0 to change, 1 to destroy.

@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from 04f4fc8 to aca8bf2 Compare January 28, 2026 21:29
@github-actions
Copy link

github-actions bot commented Jan 28, 2026
edited
Loading

Plan Result (@infrastructure/v3-proxy-api-production)

CI link

No changes. Your infrastructure matches the configuration.

@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from aca8bf2 to a7cca0e Compare January 30, 2026 22:39
@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from a7cca0e to 2446134 Compare February 8, 2026 07:59
@github-actions
Copy link

github-actions bot commented Feb 8, 2026
edited
Loading

❌ Plan Result (@infrastructure/user-list-search-production)

CI link

Error: Error acquiring the state lock
 
 Error message: operation error DynamoDB: PutItem, https response error
 StatusCode: 400, RequestID:
 TD3S6KIL6KM1HC5TS6PVQ72QBJVV4KQNSO5AEMVJF66Q9ASUAAJG,
 ConditionalCheckFailedException: The conditional request failed
 Lock Info:
   ID:        dbd76df8-8696-eff1-bb00-9395e59afbe0
   Path:      mozilla-pocket-team-prod-terraform-state/UserListSearch
   Operation: OperationTypeApply
   Who:       runner@runnervmwffz4
   Version:   1.8.3
   Created:   2026-02-09 15:40:42.280752694 +0000 UTC
   Info:      
 
 
 Terraform acquires a state lock to protect the state from being written
 by multiple users at the same time. Please resolve the issue above and try
 again. For most commands, you can disable locking with the "-lock=false"
 flag, but this is not recommended.

@github-actions
Copy link

github-actions bot commented Feb 8, 2026
edited
Loading

Plan Result (@infrastructure/image-api-production)

CI link

No changes. Your infrastructure matches the configuration.

@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from a54e931 to 87a543f Compare February 15, 2026 11:39
@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from 87a543f to 820929b Compare February 17, 2026 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jpetto jpetto Awaiting requested review from jpetto jpetto is a code owner automatically assigned from Pocket/pocket

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies @infrastructure/shares-api-production/destroy @infrastructure/user-api-production/destroy

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants