Security patches applied to lodash and xmldom
Lodash and xmldom dependencies have been bumped to their latest stable versions, closing two high-severity vulnerabilities in the monorepo's dependency tree.
Two security vulnerabilities have been patched in the monorepo's dependency tree. Lodash was updated from 4.17.23 to 4.18.1 across both the catalog and pnpm overrides, with the same upgrade applied to lodash-es. A new pnpm override for @xmldom/xmldom at version 0.8.12 was also added to address the second CVE.
Security patches in dependencies are straightforward but essential — known vulnerabilities in popular packages like lodash are common attack vectors. Applying these updates removes the risk of exploitation through transitive dependencies, which are often harder to track than direct imports.
The changes were made in two configuration files: for the pnpm overrides and for the catalog entry.
View Original GitHub Description
Summary
- Updates
lodashto 4.18.0 via catalog and pnpm override - Updates
lodash-esto 4.18.0 via pnpm override - Adds
@xmldom/xmldom0.8.12 pnpm override (transitive dependency)
Addresses: CVE-2026-4800, CVE-2026-34601
Test plan
-
pnpm installsucceeds -
pnpm why lodash -rshows only 4.18.0 -
pnpm why lodash-es -rshows 4.18.0 -
pnpm why @xmldom/xmldom -rshows 0.8.12 -
pnpm buildsucceeds - CI passes
🤖 Generated with Claude Code