Skip to content

refactor: Security upgrade lodash from 4.17.21 to 4.17.23 #10019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
parseplatformorg wants to merge 1 commit into
base: alpha
Choose a base branch
from
+1 −1
Open

refactor: Security upgrade lodash from 4.17.21 to 4.17.23 #10019

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
"jsonwebtoken": "9.0.2",
"jwks-rsa": "3.2.0",
"ldapjs": "3.0.7",
"lodash": "4.17.21",
"lodash": "4.17.23",
Copy link

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if lodash 4.17.23 exists on npm
curl -s https://registry.npmjs.org/lodash/4.17.23 | jq -r '.version // .error // "Not found"'

# Also check the latest available versions
echo "---"
echo "Checking recent lodash versions:"
curl -s https://registry.npmjs.org/lodash | jq -r '.versions | keys | sort | tail -20 | .[]'

Repository: parse-community/parse-server

Length of output: 277

🏁 Script executed:

# Check the actual package.json file content around line 45
cat -n package.json | sed -n '40,50p'

Repository: parse-community/parse-server

Length of output: 430

🏁 Script executed:

# Check if package-lock.json exists and its sync status
if [ -f package-lock.json ]; then
  echo "package-lock.json exists"
  head -20 package-lock.json
else
  echo "package-lock.json does not exist"
fi

Repository: parse-community/parse-server

Length of output: 697

🏁 Script executed:

# Check if lodash is in package-lock.json and what version it references
rg '"lodash"' package-lock.json -A 5 | head -30

Repository: parse-community/parse-server

Length of output: 736

🏁 Script executed:

# Check git status and diff to see what changed
git diff package.json | head -50

Repository: parse-community/parse-server

Length of output: 54

🏁 Script executed:

# Look for CI/pipeline configuration and any recent errors
find . -maxdepth 2 -type f \( -name "*.yml" -o -name "*.yaml" -o -name ".github" -o -name ".circleci" \) 2>/dev/null | head -20

Repository: parse-community/parse-server

Length of output: 96

🏁 Script executed:

# Check if there's a git history showing the previous lodash version
git log --oneline package.json 2>/dev/null | head -5

Repository: parse-community/parse-server

Length of output: 123

🏁 Script executed:

# Search for any references to the CVE or vulnerability in the repo
rg "CVE-2025-13465|SNYK-JS-LODASH-15053838|15053838" .

Repository: parse-community/parse-server

Length of output: 54

🏁 Script executed:

# Check git log for context about why this update was made
git log --all --oneline --grep="lodash\|vulnerability\|4.17.23" 2>/dev/null | head -10

Repository: parse-community/parse-server

Length of output: 1076

🌐 Web query:

CVE-2025-13465 lodash prototype pollution vulnerability

💡 Result:

CVE-2025-13465 (lodash) — Prototype Pollution (property deletion)

  • What it is: A prototype-pollution issue in Lodash’s _.unset and _.omit where crafted property paths can cause deletion of methods/properties from global prototypes. It allows deletion, but does not allow overwriting the original behavior. [1][2]
  • Affected: lodash 4.0.0–4.17.22 (also lodash-amd / lodash-es in the same range). [1][2]
  • Fixed: Upgrade to lodash 4.17.23+. [1][2]
  • Severity: GitHub rates it Moderate (CVSS v3.1 base 6.5). [1]
  • Published: Jan 21, 2026 (NVD entry date). [1][2]

Action: Update your dependency (lockfile) to lodash@^4.17.23 (or higher) and redeploy. [1]

Sources: GitHub Security Advisory (GHSA-xxjr-mmjv-4gpg) [1], NVD entry for CVE-2025-13465 [2].

Security fix approved, but CI failure must be addressed before merge.

The lodash upgrade addresses CVE-2025-13465, a Prototype Pollution vulnerability in the _.unset and _.omit functions affecting versions 4.0.0–4.17.22. Upgrading to version 4.17.23 remediates this moderate-severity issue (CVSS 6.5).

However, the CI pipeline will fail because package-lock.json is out of sync with package.json:

package-lock.json still references "lodash": "^4.17.21" while package.json specifies "4.17.23"

Running npm ci will fail with a lockfile mismatch error. You must regenerate package-lock.json by running npm install and committing the updated lockfile before this PR can be merged.

Consider updating the PR title to follow Angular commit convention:

fix(security): upgrade lodash to 4.17.23 to fix prototype pollution vulnerability
🤖 Prompt for AI Agents 
In `@package.json` at line 45, package.json was updated to "lodash": "4.17.23" but
package-lock.json still references "^4.17.21", causing CI lockfile mismatch; run
npm install to regenerate package-lock.json (or npm install lodash@4.17.23),
commit the updated package-lock.json, and update the PR title to follow Angular
convention (e.g., "fix(security): upgrade lodash to 4.17.23 to fix prototype
pollution vulnerability") so CI will pass and the change is clear.

"lru-cache": "10.4.0",
"mime": "4.0.7",
"mongodb": "6.20.0",
Expand Down
Loading