Uploaded image for project: 'JOC - JS7 Operations Center'
  1. JOC - JS7 Operations Center
  2. JOC-2212

Upgrade lodash and lodash-es to version 4.x due to 3rd-party vulnerabilities CVE-2026-4800 and CVE-2026-2950

    XMLWordPrintable

Details

    • CVE-2026-4800, CVE-2026-2950

    Description

      Impact

      • lodash
        • lodash is a transitive dependency used internally by Angular tooling (webpack, ng-zorro-antd etc.) and not directly in application code. * The vulnerabilities relate to prototype pollution and unsafe template evaluation.
        • The JS7 codebase does not use _.template() or unsafe dynamic patterns. Risk is theoretical in this context.
      • lodash-es
        • Impact is the same as lodash. Used indirectly via UI libraries. No direct usage. No exploit path in the JS7 implementation

      Maintainer Note

      Resolution of the issue for release 2.5.3 is dismissed as no updated version of lodash is available that fixes the issue.

      Attachments

        Activity

          People

            ZTNEERAJ303 Neeraj Patidar
            ap Andreas PĆ¼schel
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: