Skip to content

Bump lodash from 4.17.21 to 4.17.23 in /documentation#868

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/documentation/lodash-4.17.23
Closed

Bump lodash from 4.17.21 to 4.17.23 in /documentation#868
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/documentation/lodash-4.17.23

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jan 22, 2026

Copy link
Copy Markdown
Contributor

Bumps lodash from 4.17.21 to 4.17.23.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jan 22, 2026
@netlify

netlify Bot commented Jan 22, 2026

Copy link
Copy Markdown

Deploy Preview for opal-docs ready!

Name Link
🔨 Latest commit e202ff4
🔍 Latest deploy log https://app.netlify.com/projects/opal-docs/deploys/69717453a751330008956c6d
😎 Deploy Preview https://deploy-preview-868--opal-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zeevmoney

Copy link
Copy Markdown
Contributor

Superseded by #925, which consolidates all six open Dependabot updates for the /documentation site into a single PR — and upgrades the security-relevant deps (axios, node-forge, lodash) past the proposed versions to fully clear their advisories. Closing in favor of #925.

@zeevmoney zeevmoney closed this Jun 24, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/documentation/lodash-4.17.23 branch June 24, 2026 11:20
zeevmoney added a commit that referenced this pull request Jun 24, 2026
…latest (PER-15242) (#925)

* chore(deps): consolidate dependabot bumps for documentation site

Consolidate the six open Dependabot updates for the /documentation Docusaurus
site into one change, upgrading the security-relevant deps past the
Dependabot-proposed versions to fully clear their known advisories:

- axios              1.12.2  -> 1.18.1  (direct; clears proxy MITM, proxy
                                         credential leak, SSRF, ReDoS)
- node-forge         1.3.1   -> 1.4.0   (resolutions; clears RSA/Ed25519
                                         signature forgery, basicConstraints
                                         chain bypass)
- lodash             4.17.21 -> 4.18.1  (resolutions; clears _.template code
                                         injection)
- webpack            5.100.2 -> 5.105.0 (clears buildHttp SSRF)
- altcha-lib         1.3.0   -> 1.4.1   (clears PoW challenge replay)
- mdast-util-to-hast 13.1.0  -> 13.2.1  (clears unsanitized class attribute)

Supersedes #879, #877, #868, #854, #851, #849. node-forge and lodash are
transitive deps, pinned via yarn resolutions. yarn.lock regenerated with
yarn 1.22.22; validated with --frozen-lockfile and a successful `yarn build`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore(deps): update remaining documentation deps to latest

Bring the rest of the /documentation Docusaurus site dependencies up to
latest, on top of the Dependabot security consolidation:

- @docusaurus/*            3.9.1   -> 3.10.1
- react / react-dom        18.3.1  -> 19.2.7  (major; Docusaurus 3.10 supports React 19)
- @inkeep/cxkit-docusaurus 0.5.100 -> 0.5.119
- prism-react-renderer     2.3.1   -> 2.4.1
- sass                     1.93.2  -> 1.101.0
- webpack                  5.105.0 -> 5.107.2 (transitive)

axios (1.18.1), node-forge (1.4.0) and lodash (4.18.1) are already at latest
from the prior commit. altcha-lib stays at 1.4.1: its consumer @inkeep
declares ^1.2.0, so 2.x cannot be forced without overriding @inkeep.

Validated with yarn install --frozen-lockfile, yarn build, and a local
docusaurus dev server (compiles with webpack 5.107.2, serves HTTP 200).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore(deps): migrate documentation site from yarn to pnpm

Replace yarn 1.22.22 with pnpm 11.9.0 as the documentation site's package
manager:

- packageManager -> pnpm@11.9.0 (with corepack integrity hash)
- yarn.lock removed; pnpm-lock.yaml generated
- yarn `resolutions` (node-forge 1.4.0, lodash 4.18.1) moved to
  pnpm-workspace.yaml `overrides` (pnpm v11 no longer reads the package.json
  `pnpm` field). The stale npm-style `overrides` block (got/trim) is dropped:
  it never applied under yarn (got resolves to 12.x) and trim is not in the tree.
- pnpm-workspace.yaml `allowBuilds` permits @parcel/watcher (native file
  watcher) and blocks core-js (funding-only postinstall), since pnpm blocks
  dependency build scripts by default.
- Makefile `docs-dev` target and documentation/.gitignore updated for pnpm.

Validated: pnpm install, pnpm build (Docusaurus 3.10 + React 19 compile
cleanly) and pnpm start (dev server serves HTTP 200, webpack 5.107.2).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(contributing): update docs-site setup instructions for pnpm

The CONTRIBUTING guide told contributors to use `npm install` / `npm run
start` for the documentation site. Update it to pnpm (via Corepack) to match
the package-manager migration, and fix the step that said "docs directory"
while the command navigates to `documentation`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: exclude pnpm-lock.yaml from codespell

The codespell hook skipped *.json and *.lock, which covered yarn.lock but not
the new pnpm-lock.yaml. codespell then tripped on false positives inside
package hashes/metadata (e.g. "devlop", "trough"). Add *pnpm-lock.yaml to the
skip list (wildcard prefix so it matches the nested documentation/ path, the
same way *.lock did).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci(netlify): pin docs site build to pnpm via netlify.toml

Netlify deploy previews are disabled for the repo, so the pnpm migration was
never exercised on Netlify; the production deploy relied on the dashboard
build command, which still referenced the old (yarn) setup. Add a netlify.toml
that pins the build in-repo: base=documentation, command="pnpm build",
publish=build. Netlify auto-runs `pnpm install` from the lockfile and
provisions pnpm@11.9.0 via the packageManager field. COREPACK_INTEGRITY_KEYS=0
works around Corepack's signature-fetch failure for newer pnpm on Netlify's
build image (the version is still hash-pinned by packageManager).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(make): use corepack pnpm in docs-dev target

The docs-dev target called `pnpm` directly, which fails on machines that have
Corepack but no globally installed pnpm (and haven't run `corepack enable`).
Use `corepack pnpm start` so the target runs the pnpm version pinned in
documentation/package.json without prior setup.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: add docs-build workflow for the pnpm/Docusaurus site

Nothing in CI built or installed the documentation site; the only build was
Netlify's production deploy (previews disabled), so docs build breakage was
not caught on PRs. This matters now that the site uses pnpm and React 19.

Add a documentation/**-scoped workflow that runs on pull requests and pushes
to the default branch: corepack enable -> pnpm install --frozen-lockfile ->
pnpm build. The frozen install also catches lockfile drift. Actions are
SHA-pinned to their release tags, checkout uses persist-credentials: false,
and permissions are contents: read.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant