Skip to content

chore(deps): bump lodash from 4.17.21 to 4.17.23 #8716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump lodash from 4.17.21 to 4.17.23 #8716

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 22, 2026

Bumps lodash from 4.17.21 to 4.17.23.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump lodash from 4.17.21 to 4.17.23
f3c41fe 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 22, 2026
@github-actions
Copy link

github-actions bot commented Jan 22, 2026
edited
Loading

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump lodash from 4.17.21 to 4.17.23
  • Issue: None — title is clear, follows conventional commit style, and identifies the dependency and versions.
  • Recommendation: Keep as-is.

Commit Type

  • The PR body does not use the required PR BODY TEMPLATE and did not select a Commit Type.
  • Note: The title implies chore which is correct for a dependency bump, but the PR must include the Commit Type section in the body using the template.
  • Recommendation: In the PR body commit type section, check only:
    • - [x] chore - Maintenance/tooling
      and leave other boxes unchecked. Add a small note (1–2 sentences) referencing that this is an automated Dependabot bump to be explicit.

Risk Level

  • The PR does not include any "Risk Level" selection in its body and there is no label like risk:low, risk:medium, or risk:high on the PR. The repository's rules require a risk level selection and matching label.
  • Based on the code diff (lodash bumped from 4.17.21 -> 4.17.23; lockfile updated), I advise: risk:low.
    • Reason: This is a patch/minor dependency upgrade that includes security fixes (commit note: "Prevent prototype pollution on baseUnset function") and lockfile updates. Scope is limited to dependency upgrade; no direct API changes.
  • Recommendation:
    • Add - [x] Low - Minor changes, limited scope under Risk Level in the PR body.
    • Add the label risk:low to the PR (or ask a repo maintainer to add it if you cannot). If maintainers consider it higher risk for repo-specific reasons, adjust accordingly and document why in the PR body.

⚠️ What & Why

  • Current: (Missing — PR contains Dependabot default message, not the repository template's What & Why section.)
  • Issue: The PR body does not include a concise "What & Why" using the required template. The PR should explain why the bump is happening (security fix/bugfix/compatibility) and summarize the key changes.
  • Recommendation: Add a short description, for example:
    • What: Bumps lodash from 4.17.21 to 4.17.23 across the project and updates pnpm lockfile entries.
    • Why: Includes a security fix preventing prototype pollution in baseUnset and other minor fixes. This reduces risk of prototype pollution vulnerabilities and keeps dependencies up-to-date.

⚠️ Impact of Change

  • Issue: The template section is missing. We need explicit impact details so reviewers know who and what is affected.
  • Recommendation: Insert the Impact of Change section. Example content tailored to this PR:
    • Users: No direct user-facing changes. This is an internal dependency update.
    • Developers: Developers should run pnpm install/pnpm install --frozen-lockfile locally. There may be minor differences in transitive dependencies; run the test suite locally if you rely on lodash behavior in custom code.
    • System: Minimal; only package manager and lockfile updated. CI should run full test suite to validate.

Test Plan

  • Assessment: The PR diff contains no new unit or E2E test files. The PR body did not mark any Test Plan checkboxes from the template.

  • Issue: For dependency bumps, it's acceptable to have no added tests, but the PR must either:

    • Include CI-units/E2E passing evidence, or
    • Include a clear manual testing plan explaining why no tests are necessary.

  • Recommendation: Update the Test Plan section with at least one of the following:

    • Check the box: - [x] Manual testing completed and add a brief description like: "Ran local unit test suite and CI checks — all tests pass."
    • Or, better: run CI with the bump and ensure - [x] Unit tests added/updated or - [x] E2E tests added/updated is accurate if tests were updated. If no tests changed, add: "No code changes besides dependency bump. All existing unit and E2E tests ran and passed in CI."

    Also request maintainers to wait for CI and add the CI status link or mention it in the body.

⚠️ Contributors

  • Assessment: The PR currently has only the Dependabot author and no contributor credits in the PR body.
  • Recommendation: Add a Contributors section (as per template). Example: - dependabot[bot] (automated dependency update). If anyone else reviewed or approved, mention their GitHub handles.

Screenshots/Videos

  • Assessment: Not applicable for this change (no UI changes).
  • Recommendation: Leave blank or add N/A.

Summary Table

Section Status Recommendation
Title Keep current title
Commit Type Mark chore in the PR body commit type section
Risk Level Mark Low in PR body and add label risk:low
What & Why ⚠️ Add short explanation: security fix + lock updates
Impact of Change ⚠️ Populate Users/Developers/System as suggested
Test Plan Add CI/test results or manual testing notes
Contributors ⚠️ Note Dependabot and any reviewers if applicable
Screenshots/Videos N/A for this PR

Final message:
This PR needs updates to the PR body to comply with the repository template and policy before it can be approved by this check. Specifically:

  • Fill in the PR BODY TEMPLATE sections: Commit Type (mark chore), Risk Level (mark Low), What & Why, Impact, Test Plan, and Contributors.
  • Add the risk:low label to the PR.
  • Ensure CI completes and mention CI pass (or include the CI result link) in the Test Plan section. If CI fails, investigate and update the PR accordingly.

Suggested minimal PR body additions you can paste into the template:

  • Commit Type: - [x] chore - Maintenance/tooling
  • Risk Level: - [x] Low - Minor changes, limited scope
  • What & Why: Bumps lodash from 4.17.21 to 4.17.23 to include a prototype pollution fix and other minor fixes. Lockfile updated accordingly.
  • Impact: Users: none; Developers: re-run installs and tests; System: none significant — lockfile updated.
  • Test Plan: - [x] Manual testing completed — ran unit test suite locally and CI (link to CI) passed.
  • Contributors: dependabot[bot] (automated)

Once you update the PR body and add the risk:low label and CI passes, this check should pass. Thank you!

Last updated: Thu, 22 Jan 2026 01:49:22 GMT

@github-actions
Copy link

github-actions bot commented Jan 22, 2026

📊 Coverage check completed. See workflow run for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code needs-pr-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant