Skip to content

bump: lodash and lodash-es to fix audit#41434

Merged
HowardBraham merged 2 commits into
mainfrom
lodash
Apr 2, 2026
Merged

bump: lodash and lodash-es to fix audit#41434
HowardBraham merged 2 commits into
mainfrom
lodash

Conversation

@HowardBraham

@HowardBraham HowardBraham commented Apr 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Fix audit problem of lodash-es
There is also an "invisible" problem with lodash, I think yarn might not have noticed it because of the patch.

├─ lodash-es
│  ├─ ID: 1115805
│  ├─ Issue: lodash vulnerable to Code Injection via `_.template` imports key names
│  ├─ URL: https://github.com/advisories/GHSA-r5fr-rjxr-66jc
│  ├─ Severity: high
│  ├─ Vulnerable Versions: >=4.0.0 <=4.17.23
│  │ 
│  ├─ Tree Versions
│  │  └─ 4.17.23
│  │ 
│  └─ Dependents
│     └─ @myx-trade/sdk@npm:0.1.271
│
└─ lodash-es
   ├─ ID: 1115809
   ├─ Issue: lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
   ├─ URL: https://github.com/advisories/GHSA-f23m-r3pf-42rh
   ├─ Severity: moderate
   ├─ Vulnerable Versions: <=4.17.23
   │ 
   ├─ Tree Versions
   │  └─ 4.17.23
   │ 
   └─ Dependents
      └─ @myx-trade/sdk@npm:0.1.271

Changelog

CHANGELOG entry: null

Note

Medium Risk
Updates a widely-used utility dependency and its Yarn patch, which could cause subtle runtime behavior changes across the app despite being a targeted security/audit fix.

Overview
Bumps lodash and lodash-es to 4.18.1 (from 4.17.23) to address reported security advisories, updating both package.json resolutions/dependencies and yarn.lock.

Refreshes the Yarn patch applied to lodash for Firefox content-script compatibility by switching Lodash’s global detection from global to globalThis in _freeGlobal.js, core.js, and lodash.js.

Written by Cursor Bugbot for commit 62cb11b. This will update automatically on new commits. Configure here.

@github-actions

github-actions Bot commented Apr 2, 2026

Copy link
Copy Markdown
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@HowardBraham HowardBraham self-assigned this Apr 2, 2026
@metamaskbot metamaskbot added the team-extension-platform Extension Platform team label Apr 2, 2026
@HowardBraham

HowardBraham commented Apr 2, 2026

Copy link
Copy Markdown
Contributor Author

@metamaskbot update-policies

@metamaskbot

metamaskbot commented Apr 2, 2026

Copy link
Copy Markdown
Collaborator

No policy changes

@metamaskbotv2

metamaskbotv2 Bot commented Apr 2, 2026

Copy link
Copy Markdown
Contributor
Builds ready [96d22c3]
⚡ Performance Benchmarks (Total: 🟢 18 pass · 🟡 0 warn · 🔴 0 fail)

Baseline (latest main): 0b94eec | Date: 4/22/58220 | Pipeline: 23886345445 | Baseline logs

Interaction Benchmarks
Benchmarkchrome-browserify
loadNewAccount🟢 [Show logs]
confirmTx🟢 [Show logs]
bridgeUserActions🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

  • bridgeUserActions/bridge_load_page: -12%
  • bridgeUserActions/bridge_search_token: -21%
  • bridgeUserActions/total: -20%
Startup Benchmarks
Benchmarkchrome-browserifychrome-webpackfirefox-browserifyfirefox-webpack
startupStandardHome🟢 [Show logs]🟢 [Show logs]🟢 [Show logs]🟢 [Show logs]
startupPowerUserHome🟢 [Show logs]🟢 [Show logs]🟢 [Show logs]🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

  • startupStandardHome/initialActions: -44%
  • startupPowerUserHome/domInteractive: +12%
  • startupPowerUserHome/backgroundConnect: -45%
  • startupPowerUserHome/backgroundConnect: +28%
  • startupPowerUserHome/numNetworkReqs: -41%
  • startupStandardHome/domInteractive: -31%
  • startupStandardHome/initialActions: +43%
  • startupStandardHome/setupStore: +10%
  • startupPowerUserHome/domInteractive: -16%
  • startupPowerUserHome/setupStore: -32%
  • startupStandardHome/initialActions: +43%
  • startupStandardHome/setupStore: +31%
  • startupPowerUserHome/setupStore: -16%
User Journey Benchmarks
Benchmarkchrome-browserify
onboardingImportWallet🟢 [Show logs]
onboardingNewWallet🟢 [Show logs]
assetDetails🟢 [Show logs]
solanaAssetDetails🟢 [Show logs]
importSrpHome🟢 [Show logs]
sendTransactions🟢 [Show logs]
swap🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

  • onboardingImportWallet/metricsToWalletReadyScreen: -38%
  • onboardingImportWallet/doneButtonToHomeScreen: -75%
  • onboardingImportWallet/openAccountMenuToAccountListLoaded: +83%
  • onboardingImportWallet/total: -37%
  • onboardingNewWallet/skipBackupToMetricsScreen: +14%
  • onboardingNewWallet/agreeButtonToOnboardingSuccess: +12%
  • onboardingNewWallet/doneButtonToAssetList: -28%
  • onboardingNewWallet/total: -24%
  • assetDetails/assetClickToPriceChart: -53%
  • assetDetails/total: -53%
  • solanaAssetDetails/assetClickToPriceChart: -38%
  • solanaAssetDetails/total: -38%
  • importSrpHome/loginToHomeScreen: +24%
  • importSrpHome/openAccountMenuAfterLogin: -72%
  • importSrpHome/homeAfterImportWithNewWallet: -42%
  • importSrpHome/total: -35%
  • swap/openSwapPageFromHome: -86%
  • swap/fetchAndDisplaySwapQuotes: +28%
  • swap/total: +11%
🌐 Dapp Page Load Benchmarks

Current Commit: 96d22c3 | Date: 4/2/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

  • pageLoadTime-> current mean value: 1.05s (±71ms) 🟡 | historical mean value: 1.04s ⬆️ (historical data)
  • domContentLoaded-> current mean value: 739ms (±70ms) 🟢 | historical mean value: 728ms ⬆️ (historical data)
  • firstContentfulPaint-> current mean value: 85ms (±9ms) 🟢 | historical mean value: 85ms ⬇️ (historical data)

📈 Detailed Results

Metric Mean Std Dev Min Max P95 P99
pageLoadTime 1.05s 71ms 1.00s 1.33s 1.26s 1.33s
domContentLoaded 739ms 70ms 698ms 1.02s 950ms 1.02s
firstPaint 85ms 9ms 68ms 152ms 96ms 152ms
firstContentfulPaint 85ms 9ms 68ms 152ms 96ms 152ms
largestContentfulPaint 0ms 0ms 0ms 0ms 0ms 0ms
Bundle size diffs
  • background: 58 Bytes (0%)
  • ui: 5 Bytes (0%)
  • common: -122 Bytes (0%)

@github-actions github-actions Bot added size-S and removed size-XS labels Apr 2, 2026
@sonarqubecloud

sonarqubecloud Bot commented Apr 2, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@HowardBraham HowardBraham marked this pull request as ready for review April 2, 2026 07:09
@HowardBraham HowardBraham requested a review from a team as a code owner April 2, 2026 07:09
@metamaskbotv2

metamaskbotv2 Bot commented Apr 2, 2026

Copy link
Copy Markdown
Contributor
Builds ready [62cb11b]
⚡ Performance Benchmarks (Total: 🟢 18 pass · 🟡 0 warn · 🔴 0 fail)

Baseline (latest main): 0b94eec | Date: 4/22/58220 | Pipeline: 23887676228 | Baseline logs

Interaction Benchmarks
Benchmarkchrome-browserify
loadNewAccount🟢 [Show logs]
confirmTx🟢 [Show logs]
bridgeUserActions🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

  • loadNewAccount/load_new_account: +12%
  • loadNewAccount/total: +12%
  • bridgeUserActions/bridge_load_asset_picker: +24%
  • bridgeUserActions/total: +19%
Startup Benchmarks
Benchmarkchrome-browserifychrome-webpackfirefox-browserifyfirefox-webpack
startupStandardHome🟢 [Show logs]🟢 [Show logs]🟢 [Show logs]🟢 [Show logs]
startupPowerUserHome🟢 [Show logs]🟢 [Show logs]🟢 [Show logs]🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

  • startupStandardHome/firstReactRender: +15%
  • startupStandardHome/initialActions: +11%
  • startupPowerUserHome/backgroundConnect: -38%
  • startupPowerUserHome/numNetworkReqs: +51%
  • startupStandardHome/firstPaint: -15%
  • startupPowerUserHome/backgroundConnect: +16%
  • startupPowerUserHome/numNetworkReqs: -45%
  • startupStandardHome/initialActions: +43%
  • startupPowerUserHome/setupStore: -22%
  • startupStandardHome/initialActions: +43%
  • startupStandardHome/setupStore: +45%
  • startupPowerUserHome/setupStore: -13%
User Journey Benchmarks
Benchmarkchrome-browserify
onboardingImportWallet🟢 [Show logs]
onboardingNewWallet🟢 [Show logs]
assetDetails🟢 [Show logs]
solanaAssetDetails🟢 [Show logs]
importSrpHome🟢 [Show logs]
sendTransactions🟢 [Show logs]
swap🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

  • onboardingImportWallet/metricsToWalletReadyScreen: -18%
  • onboardingImportWallet/doneButtonToHomeScreen: -72%
  • onboardingImportWallet/openAccountMenuToAccountListLoaded: +84%
  • onboardingImportWallet/total: -35%
  • onboardingNewWallet/skipBackupToMetricsScreen: -14%
  • onboardingNewWallet/agreeButtonToOnboardingSuccess: -28%
  • onboardingNewWallet/doneButtonToAssetList: -26%
  • onboardingNewWallet/total: -21%
  • assetDetails/assetClickToPriceChart: -34%
  • assetDetails/total: -34%
  • solanaAssetDetails/assetClickToPriceChart: -43%
  • solanaAssetDetails/total: -43%
  • importSrpHome/loginToHomeScreen: +19%
  • importSrpHome/openAccountMenuAfterLogin: -68%
  • importSrpHome/homeAfterImportWithNewWallet: -42%
  • importSrpHome/total: -36%
  • swap/openSwapPageFromHome: -85%
  • swap/fetchAndDisplaySwapQuotes: +28%
  • swap/total: +12%
🌐 Dapp Page Load Benchmarks

Current Commit: 62cb11b | Date: 4/2/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

  • pageLoadTime-> current mean value: 1.05s (±73ms) 🟡 | historical mean value: 1.04s ⬆️ (historical data)
  • domContentLoaded-> current mean value: 738ms (±70ms) 🟢 | historical mean value: 728ms ⬆️ (historical data)
  • firstContentfulPaint-> current mean value: 86ms (±10ms) 🟢 | historical mean value: 85ms ⬆️ (historical data)

📈 Detailed Results

Metric Mean Std Dev Min Max P95 P99
pageLoadTime 1.05s 73ms 1.01s 1.33s 1.30s 1.33s
domContentLoaded 738ms 70ms 703ms 1.01s 988ms 1.01s
firstPaint 86ms 10ms 68ms 156ms 96ms 156ms
firstContentfulPaint 86ms 10ms 68ms 156ms 96ms 156ms
largestContentfulPaint 0ms 0ms 0ms 0ms 0ms 0ms
Bundle size diffs
  • background: 58 Bytes (0%)
  • ui: 5 Bytes (0%)
  • common: -4 Bytes (0%)

@HowardBraham HowardBraham added this pull request to the merge queue Apr 2, 2026
Merged via the queue into main with commit 7ee9d56 Apr 2, 2026
216 of 217 checks passed
@HowardBraham HowardBraham deleted the lodash branch April 2, 2026 07:18
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 2, 2026
@metamaskbot metamaskbot added the release-13.26.0 Issue or pull request that will be included in release 13.26.0 label Apr 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@itsyoboieltr itsyoboieltr itsyoboieltr approved these changes

@chloeYue chloeYue chloeYue approved these changes

Assignees

@HowardBraham HowardBraham

Labels

release-13.26.0 Issue or pull request that will be included in release 13.26.0 size-S skip-release-validation team-extension-platform Extension Platform team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@HowardBraham @metamaskbot @itsyoboieltr @chloeYue