Skip to content

fix(deps): Bump lodash to 4.17.23#19211

Merged
chargome merged 1 commit intodevelopfrom
fix/bump-lodash-cve-2025-13465
Feb 6, 2026
Merged

fix(deps): Bump lodash to 4.17.23#19211
chargome merged 1 commit intodevelopfrom
fix/bump-lodash-cve-2025-13465

Conversation

@chargome
Copy link
Member

@chargome chargome commented Feb 6, 2026

Bump transitive lodash dependency from 4.17.21 to 4.17.23 to address CVE-2025-13465 (prototype pollution in _.unset and _.omit).

Fixes https://github.com/getsentry/sentry-javascript/security/dependabot/966

@chargome @claude
fix(deps): Bump lodash to 4.17.23
45b8ca2 
Bump transitive lodash dependency from 4.17.21 to 4.17.23 to address
CVE-2025-13465 (prototype pollution in `_.unset` and `_.omit`).

Fixes https://github.com/getsentry/sentry-javascript/security/dependabot/966
Co-Authored-By: Claude <noreply@anthropic.com>
@chargome chargome self-assigned this Feb 6, 2026
@chargome chargome requested review from a team, JPeer264, andreiborza and mydea and removed request for a team and mydea February 6, 2026 14:37
@github-actions
Copy link
Contributor

github-actions bot commented Feb 6, 2026
edited
Loading

Codecov Results 📊

Generated by Codecov Action

@github-actions
Copy link
Contributor

github-actions bot commented Feb 6, 2026

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 8,643 - 8,579 +1%
GET With Sentry 1,664 19% 1,636 +2%
GET With Sentry (error only) 5,958 69% 5,976 -0%
POST Baseline 1,112 - 1,158 -4%
POST With Sentry 542 49% 542 -
POST With Sentry (error only) 981 88% 1,021 -4%
MYSQL Baseline 3,283 - 3,220 +2%
MYSQL With Sentry 431 13% 418 +3%
MYSQL With Sentry (error only) 2,630 80% 2,648 -1%

View base workflow run

@chargome chargome enabled auto-merge (squash) February 6, 2026 14:46
@chargome chargome merged commit 6f91180 into develop Feb 6, 2026
214 of 215 checks passed
@chargome chargome deleted the fix/bump-lodash-cve-2025-13465 branch February 6, 2026 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreiborza andreiborza andreiborza approved these changes

@JPeer264 JPeer264 Awaiting requested review from JPeer264

Assignees

@chargome chargome

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chargome @andreiborza