v4.18.0
Security
_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.
_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".
Docs
- Add security notice for
_.templatein threat model and API docs (#6099) - Document
lower > upperbehavior in_.random(#6115) - Fix quotes in
_.compactjsdoc (#6090)
lodash.* modular packages
We have also regenerated and published a select number of the lodash.* modular packages.
These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:
- lodash.orderby
- lodash.tonumber
- lodash.trim
- lodash.trimend
- lodash.sortedindexby
- lodash.zipobjectdeep
- lodash.unset
- lodash.omit
- lodash.template
Full Changelog: 4.17.23...4.18.0