Skip to content

fix(deps): remove unused cz-conventional-changelog to address CVE-2026-4800#3019

Open
Michael Pham (michaelphamcf) wants to merge 2 commits intomasterfrom
fix/lodash-cve-2026-4800
Open

fix(deps): remove unused cz-conventional-changelog to address CVE-2026-4800#3019
Michael Pham (michaelphamcf) wants to merge 2 commits intomasterfrom
fix/lodash-cve-2026-4800

Conversation

@michaelphamcf
Copy link
Copy Markdown
Contributor

@michaelphamcf Michael Pham (michaelphamcf) commented Apr 29, 2026
edited
Loading

Summary

  • Fixes Dependabot alert #208CVE-2026-4800 (high severity code injection via _.template imports key names in lodash <= 4.17.23)
  • Root cause: commitizen@4.3.1 (transitive dep of cz-conventional-changelog) pins lodash at exactly 4.17.21, creating a vulnerable nested copy
  • Fix: Remove cz-conventional-changelog entirely — it's unused in this repo. No scripts, hooks, CI workflows, or docs reference it. The changelog/release pipeline uses semantic-release, which is independent of commitizen.
  • Also bumps the direct lodash devDependency from ^4.17.20 to ^4.18.0
  • Drops 94 packages from the dependency tree

Test plan

  • npm run test:unit — all 785 tests pass
  • npm run build — builds cleanly
  • npm ls lodash — only lodash@4.18.1 remains, no nested vulnerable copies
  • CI passes

🤖 Generated with Claude Code

@michaelphamcf @claude
fix(deps): bump lodash to >=4.18.0 to address CVE-2026-4800
1cc8136 
commitizen pins lodash at 4.17.21, which is vulnerable to code injection
via _.template imports key names. Add npm override to force all transitive
lodash to match the direct dependency range (^4.18.0).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@bito-code-review
Copy link
Copy Markdown

bito-code-review Bot commented Apr 29, 2026
edited
Loading

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at michael.pearce@contentful.com.

@michaelphamcf @claude
fix(deps): remove unused cz-conventional-changelog to address CVE-202…
6844a84 
…6-4800

commitizen pins lodash at 4.17.21, which is vulnerable to code injection
via _.template imports key names. cz-conventional-changelog is unused in
this repo — no scripts, hooks, CI workflows, or docs reference it. The
changelog/release pipeline uses semantic-release, which is independent.

Removing the dead dependency eliminates the vulnerable transitive lodash
copy entirely and drops 94 packages from the tree.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@michaelphamcf Michael Pham (michaelphamcf) changed the title fix(deps): bump lodash to >=4.18.0 to address CVE-2026-4800 fix(deps): remove unused cz-conventional-changelog to address CVE-2026-4800 Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaelphamcf