fix(deps): patch lodash security vulnerabilities

[shrugs]

Summary

• updates pnpm.overrides for lodash and lodash-es to cover the full vulnerable range (<=4.17.23, previously only <=4.17.22)
• forces resolution to ^4.18.0, fixing GHSA-r5fr-rjxr-66jc (high: code injection via _.template) and GHSA-f23m-r3pf-42rh (moderate: prototype pollution via _.unset/_.omit)
• all transitive through docs/ensnode.io deps (mermaid, astro-seo)

Test plan

• pnpm audit --audit-level=moderate returns no vulnerabilities
• CI passes

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Ready	Preview, Comment	Apr 2, 2026 1:00am
ensnode.io	Ready	Preview, Comment	Apr 2, 2026 1:00am
ensrainbow.io	Ready	Preview, Comment	Apr 2, 2026 1:00am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7c691db

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated pnpm overrides for lodash and lodash-es dependencies in package.json. The constraints now map version ranges >=4.0.0 <=4.17.23 to ^4.18.0, replacing the previous >=4.17.23 resolution targets.

Changes

Cohort / File(s)	Summary
Dependency Override Configuration package.json	Updated pnpm overrides for lodash and lodash-es to map earlier version ranges (>=4.0.0 <=4.17.23) to ^4.18.0 instead of >=4.17.23.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix(deps): update overrides as per security audit result #1632: Modifies the same pnpm.overrides entries for lodash and lodash-es, though with different target version ranges.
• Address CI issues #1844: Updates pnpm.overrides section of package.json for package resolution overrides.

Poem

🐰 With carrot and care, I hop through the code,
Updating the paths where our dependencies load,
From old lodash versions to newer ones bright,
Version constraints dance in the pale moonlight! 🌙

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(deps): patch lodash security vulnerabilities' accurately and concisely describes the main change—updating lodash dependencies to fix security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description provides clear summary bullets, explains the security rationale with CVE references, specifies testing approach, and aligns well with the template structure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the monorepo’s pnpm overrides/lockfile to fully mitigate known lodash/lodash-es vulnerabilities that are pulled in transitively (notably via docs/ensnode.io dependencies).

Changes:

• Expands the override selector range to include <=4.17.23 for both lodash and lodash-es.
• Forces resolution to ^4.18.0 and updates the lockfile to 4.18.1 for lodash / lodash-es.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updates pnpm.overrides entries for lodash and lodash-es to cover the full vulnerable selector range and enforce the fixed version range.
pnpm-lock.yaml	Reflects the updated overrides and resolves lodash / lodash-es to 4.18.1 in packages/snapshots.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR patches two lodash security vulnerabilities (GHSA-r5fr-rjxr-66jc — high severity code injection via _.template, and GHSA-f23m-r3pf-42rh — moderate prototype pollution via _.unset/_.omit) by expanding the pnpm.overrides vulnerable range from <=4.17.22 to <=4.17.23 and forcing resolution to ^4.18.0. The lock file correctly reflects the updated resolutions from 4.17.23 to 4.18.1 for all transitive consumers (chevrotain, dagre-d3-es, mermaid, yaml-language-server, etc.), and no stale 4.17.x snapshot entries remain.

• Extends the override's upper vulnerable bound to include 4.17.23, which was itself vulnerable
• Pins the safe floor to ^4.18.0 (resolved as 4.18.1 in the lock file) instead of the previously-vulnerable >=4.17.23
• All six snapshot references to lodash-es@4.17.23 and two references to lodash@4.17.23 have been updated
• Modular lodash packages (lodash.camelcase, lodash.debounce, etc.) are versioned independently and are unaffected — correctly left untouched

Confidence Score: 5/5

• This PR is safe to merge — it is a targeted, dependency-only security patch with no application logic changes.
• The change is minimal and correct: the vulnerable range was widened to include 4.17.23, the safe resolution was bumped to ^4.18.0 (which resolves to 4.18.1), and the lock file has been regenerated with no stale references. No functional code is modified.
• No files require special attention.

Important Files Changed

Filename	Overview
package.json	Extends pnpm.overrides vulnerable range for lodash and lodash-es to <=4.17.23 and forces resolution to ^4.18.0, correctly addressing both CVEs.
pnpm-lock.yaml	Lock file regenerated; all lodash@4.17.23 and lodash-es@4.17.23 entries replaced with 4.18.1 across packages and snapshots, with no stale 4.17.x references remaining.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Transitive dep requires lodash in vulnerable range] -->|pnpm.overrides match| B{Override rule}
    B -->|lodash resolved to| C[lodash 4.18.1]
    B -->|lodash-es resolved to| D[lodash-es 4.18.1]

    E[chevrotain] -->|previously 4.17.23| A
    F[chevrotain-allstar] -->|previously 4.17.23| A
    G[dagre-d3-es] -->|previously 4.17.23| A
    H[mermaid] -->|previously 4.17.23| A
    I[yaml-language-server] -->|previously 4.17.23| A
    J[zip-a-folder] -->|previously 4.17.23| A

    C --> K[GHSA-r5fr-rjxr-66jc fixed - code injection via template]
    D --> K
    C --> L[GHSA-f23m-r3pf-42rh fixed - prototype pollution via unset and omit]
    D --> L

Loading

_{Reviews (1): Last reviewed commit: "fix(deps): patch lodash and lodash-es se..." | Re-trigger Greptile}