refactor: Security upgrade lodash from 4.17.21 to 4.17.23

[parseplatformorg]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue
	Prototype Pollution SNYK-JS-LODASH-15053838

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

Summary by CodeRabbit

• Chores
  • Updated a core dependency to the latest patch version for improved stability and security.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates the lodash dependency version from 4.17.21 to 4.17.23 in package.json. This is a straightforward version bump with no changes to application logic, control flow, or exported entities.

Changes

Cohort / File(s)	Summary
Dependency Update package.json	Version bump: lodash 4.17.21 → 4.17.23

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing required template sections like 'Issue' (Closes:) and 'Approach', which are mandatory according to the repository template.	Add the missing template sections: fill in the 'Closes:' field with the relevant issue link and add an 'Approach' section describing the changes. Mark completed tasks in the Tasks section if applicable.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: a security upgrade of lodash from 4.17.21 to 4.17.23, which matches the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-2f69f6d67b232b71688915e78509236f

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 45: package.json was updated to "lodash": "4.17.23" but package-lock.json
still references "^4.17.21", causing CI lockfile mismatch; run npm install to
regenerate package-lock.json (or npm install lodash@4.17.23), commit the updated
package-lock.json, and update the PR title to follow Angular convention (e.g.,
"fix(security): upgrade lodash to 4.17.23 to fix prototype pollution
vulnerability") so CI will pass and the change is clear.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if lodash 4.17.23 exists on npm
curl -s https://registry.npmjs.org/lodash/4.17.23 | jq -r '.version // .error // "Not found"'

# Also check the latest available versions
echo "---"
echo "Checking recent lodash versions:"
curl -s https://registry.npmjs.org/lodash | jq -r '.versions | keys | sort | tail -20 | .[]'

Repository: parse-community/parse-server

Length of output: 277

---

🏁 Script executed:

# Check the actual package.json file content around line 45
cat -n package.json | sed -n '40,50p'

Repository: parse-community/parse-server

Length of output: 430

---

🏁 Script executed:

# Check if package-lock.json exists and its sync status
if [ -f package-lock.json ]; then
  echo "package-lock.json exists"
  head -20 package-lock.json
else
  echo "package-lock.json does not exist"
fi

Repository: parse-community/parse-server

Length of output: 697

---

🏁 Script executed:

# Check if lodash is in package-lock.json and what version it references
rg '"lodash"' package-lock.json -A 5 | head -30

Repository: parse-community/parse-server

Length of output: 736

---

🏁 Script executed:

# Check git status and diff to see what changed
git diff package.json | head -50

Repository: parse-community/parse-server

Length of output: 54

---

🏁 Script executed:

# Look for CI/pipeline configuration and any recent errors
find . -maxdepth 2 -type f \( -name "*.yml" -o -name "*.yaml" -o -name ".github" -o -name ".circleci" \) 2>/dev/null | head -20

Repository: parse-community/parse-server

Length of output: 96

---

🏁 Script executed:

# Check if there's a git history showing the previous lodash version
git log --oneline package.json 2>/dev/null | head -5

Repository: parse-community/parse-server

Length of output: 123

---

🏁 Script executed:

# Search for any references to the CVE or vulnerability in the repo
rg "CVE-2025-13465|SNYK-JS-LODASH-15053838|15053838" .

Repository: parse-community/parse-server

Length of output: 54

---

🏁 Script executed:

# Check git log for context about why this update was made
git log --all --oneline --grep="lodash\|vulnerability\|4.17.23" 2>/dev/null | head -10

Repository: parse-community/parse-server

Length of output: 1076

---

🌐 Web query:

CVE-2025-13465 lodash prototype pollution vulnerability

💡 Result:

CVE-2025-13465 (lodash) — Prototype Pollution (property deletion)

• What it is: A prototype-pollution issue in Lodash’s _.unset and _.omit where crafted property paths can cause deletion of methods/properties from global prototypes. It allows deletion, but does not allow overwriting the original behavior. [1][2]
• Affected: lodash 4.0.0–4.17.22 (also lodash-amd / lodash-es in the same range). [1][2]
• Fixed: Upgrade to lodash 4.17.23+. [1][2]
• Severity: GitHub rates it Moderate (CVSS v3.1 base 6.5). [1]
• Published: Jan 21, 2026 (NVD entry date). [1][2]

Action: Update your dependency (lockfile) to lodash@^4.17.23 (or higher) and redeploy. [1]

Sources: GitHub Security Advisory (GHSA-xxjr-mmjv-4gpg) [1], NVD entry for CVE-2025-13465 [2].

---

Security fix approved, but CI failure must be addressed before merge.

The lodash upgrade addresses CVE-2025-13465, a Prototype Pollution vulnerability in the _.unset and _.omit functions affecting versions 4.0.0–4.17.22. Upgrading to version 4.17.23 remediates this moderate-severity issue (CVSS 6.5).

However, the CI pipeline will fail because package-lock.json is out of sync with package.json:

package-lock.json still references "lodash": "^4.17.21" while package.json specifies "4.17.23"

Running npm ci will fail with a lockfile mismatch error. You must regenerate package-lock.json by running npm install and committing the updated lockfile before this PR can be merged.

Consider updating the PR title to follow Angular commit convention:

fix(security): upgrade lodash to 4.17.23 to fix prototype pollution vulnerability

🤖 Prompt for AI Agents

In `@package.json` at line 45, package.json was updated to "lodash": "4.17.23" but
package-lock.json still references "^4.17.21", causing CI lockfile mismatch; run
npm install to regenerate package-lock.json (or npm install lodash@4.17.23),
commit the updated package-lock.json, and update the PR title to follow Angular
convention (e.g., "fix(security): upgrade lodash to 4.17.23 to fix prototype
pollution vulnerability") so CI will pass and the change is clear.