From 81ea2cafe01bae0c71622780fb7a7501f1cd2fa6 Mon Sep 17 00:00:00 2001
From: Yadhav Jayaraman <57544838+decyjphr@users.noreply.github.com>
Date: Fri, 5 Jun 2026 16:14:13 -0400
Subject: [PATCH] fix: update lodash to ^4.18.1 to fix code injection
 vulnerability

Resolve Dependabot alert #116 - lodash vulnerable to Code Injection
via `_.template` imports key names. Updated from ^4.17.21 to ^4.18.1.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 package-lock.json | 9 ++++-----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index bed52e06c..a5daebb9f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,7 +14,7 @@
         "deepmerge": "^4.3.1",
         "eta": "^3.5.0",
         "js-yaml": "^4.1.0",
-        "lodash": "^4.17.21",
+        "lodash": "^4.18.1",
         "minimatch": "^10.2.1",
         "node-cron": "^4.2.1",
         "octokit": "^5.0.2",
@@ -10228,10 +10228,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
-      "license": "MIT"
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q=="
     },
     "node_modules/lodash.defaults": {
       "version": "4.2.0",
diff --git a/package.json b/package.json
index da97dc4f3..1bf4f13e7 100644
--- a/package.json
+++ b/package.json
@@ -30,7 +30,7 @@
     "deepmerge": "^4.3.1",
     "eta": "^3.5.0",
     "js-yaml": "^4.1.0",
-    "lodash": "^4.17.21",
+    "lodash": "^4.18.1",
     "minimatch": "^10.2.1",
     "node-cron": "^4.2.1",
     "octokit": "^5.0.2",