Skip to content

Upgrade lodash to 4.17.23 and @types/lodash to 4.17.23#5603

Merged
iclanton merged 1 commit intomicrosoft:mainfrom
EvilFaeton:upgrade-lodash
Feb 6, 2026
Merged

Upgrade lodash to 4.17.23 and @types/lodash to 4.17.23#5603
iclanton merged 1 commit intomicrosoft:mainfrom
EvilFaeton:upgrade-lodash

Conversation

@EvilFaeton
Copy link
Contributor

@EvilFaeton EvilFaeton commented Feb 5, 2026

Summary

Upgrades lodash from ~4.17.15 to ~4.17.23 and @types/lodash from 4.14.116 to 4.17.23 across all packages in the monorepo that depend on it.

This addresses the security vulnerability GHSA-xxjr-mmjv-4gpg (Command Injection in lodash).

Fixes #5560

Details

Packages updated:

  • @microsoft/api-extractor
  • @rushstack/heft-jest-plugin
  • @rushstack/npm-check-fork
  • localization-plugin-test-02 (private test package)

Code changes:

  • In @rushstack/npm-check-fork, the stricter type definitions in @types/lodash@4.17.23 exposed a type incompatibility with _.partial(semver.gt, CRAZY_HIGH_SEMVER). This was replaced with an equivalent arrow function (version: string) => semver.gt(CRAZY_HIGH_SEMVER, version) which is more explicit and type-safe.

Compatibility:

  • No breaking changes - lodash 4.17.23 is fully backward compatible with 4.17.15
  • The _.partial to arrow function change is functionally equivalent

How it was tested

  • Ran rush build for all affected packages - all builds pass
  • Ran rush test for affected packages - all tests pass
  • Ran linters - all pass
  • Added a new test case in npm-check-fork to verify the CRAZY_HIGH_SEMVER filtering logic works correctly with the refactored code

Impacted documentation

None - this is a dependency update with no API changes.

@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Feb 5, 2026
@EvilFaeton
Upgrade lodash to 4.17.23 and @types/lodash to 4.17.23
9506f25 
- Update lodash from ~4.17.15 to ~4.17.23 in:
  - @microsoft/api-extractor
  - @rushstack/heft-jest-plugin
  - @rushstack/npm-check-fork
  - localization-plugin-test-02

- Update @types/lodash from 4.14.116 to 4.17.23 in the same packages

- Fix type error in npm-check-fork caused by stricter @types/lodash:
  Replace _.partial(semver.gt, CRAZY_HIGH_SEMVER) with arrow function
  for better type safety and compatibility

- Add test coverage for CRAZY_HIGH_SEMVER version filtering
@iclanton iclanton merged commit 505d12d into microsoft:main Feb 6, 2026
6 checks passed
@github-project-automation github-project-automation bot moved this from Needs triage to Closed in Bug Triage Feb 6, 2026
Copilot AI added a commit that referenced this pull request Feb 6, 2026
@iclanton
Merge main into copilot/add-eslint-mixin-sort-package-json: resolve c…
ac9cb2d 
…onflicts from lodash upgrade (#5603) and CODEOWNERS (#5606)

Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iclanton iclanton iclanton approved these changes

@octogonz octogonz Awaiting requested review from octogonz octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms is a code owner

@dmichon-msft dmichon-msft Awaiting requested review from dmichon-msft dmichon-msft is a code owner

@jxanthony jxanthony Awaiting requested review from jxanthony jxanthony is a code owner

@bmiddha bmiddha Awaiting requested review from bmiddha bmiddha is a code owner

Assignees

No one assigned

Labels

None yet

Projects

Bug Triage
Status: Closed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[api-extractor] Vulnerability in locked version of lodash

2 participants

@EvilFaeton @iclanton