Update lodash (#1146)

ecraig12345 · web-flow · commit 0b7f01fc439c · 2026-01-23T02:08:03.000-08:00
diff --git a/change/beachball-41f41008-21c8-426f-b7ba-6a012d8873c0.json b/change/beachball-41f41008-21c8-426f-b7ba-6a012d8873c0.json
@@ -0,0 +1,7 @@
+{
+  "type": "none",
+  "comment": "Unpin lodash dev deps due to security issues",
+  "packageName": "beachball",
+  "email": "elcraig@microsoft.com",
+  "dependentChangeType": "none"
+}
diff --git a/docs/package.json b/docs/package.json
@@ -19,7 +19,13 @@
     "vuepress": "^2.0.0-rc"
   },
   "resolutions": {
-    "@types/node@npm:*": "^22.0.0"
+    "@types/node@npm:*": "^22.0.0",
+    "lodash-es@npm:4.17.21": "^4.17.21"
+  },
+  "rationale": {
+    "resolutions": {
+      "lodash-es": "Unpin due to security issue"
+    }
   },
   "engines": {
     "node": ">=22",
diff --git a/docs/yarn.lock b/docs/yarn.lock
@@ -3466,17 +3466,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"lodash-es@npm:4.17.21":
-  version: 4.17.21
-  resolution: "lodash-es@npm:4.17.21"
-  checksum: 10c0/fb407355f7e6cd523a9383e76e6b455321f0f153a6c9625e21a8827d10c54c2a2341bd2ae8d034358b60e07325e1330c14c224ff582d04612a46a4f0479ff2f2
-  languageName: node
-  linkType: hard
-
 "lodash-es@npm:^4.17.21":
-  version: 4.17.22
-  resolution: "lodash-es@npm:4.17.22"
-  checksum: 10c0/5f28a262183cca43e08c580622557f393cb889386df2d8adf7c852bfdff7a84c5e629df5aa6c5c6274e83b38172f239d3e4e72e1ad27352d9ae9766627338089
+  version: 4.17.23
+  resolution: "lodash-es@npm:4.17.23"
+  checksum: 10c0/3150fb6660c14c7a6b5f23bd11597d884b140c0e862a17fdb415aaa5ef7741523182904a6b7929f04e5f60a11edb5a79499eb448734381c99ffb3c4734beeddd
   languageName: node
   linkType: hard
 
diff --git a/package.json b/package.json
@@ -94,6 +94,7 @@
   },
   "resolutions": {
     "@types/node": "^14.0.0",
+    "**/lodash": "4.17.23",
     "**/verdaccio/js-yaml": "^4.1.0",
     "**/verdaccio/validator": "^13.15.22",
     "**/@verdaccio/config/js-yaml": "^4.1.0",
@@ -106,6 +107,7 @@
       "verdaccio-memory@10.3.2": "node 18 required by newer version"
     },
     "resolutions": {
+      "**/lodash": "Unpin due to security issue",
       "**/verdaccio/js-yaml": "Unpin js-yaml due to security issue",
       "**/verdaccio/validator": "Unpin validator due to security issue",
       "**/@verdaccio/config/js-yaml": "Unpin js-yaml due to security issue",
diff --git a/yarn.lock b/yarn.lock
@@ -3525,10 +3525,10 @@ lodash.once@^4.0.0:
   resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac"
   integrity sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==
 
-lodash@4, lodash@4.17.21, lodash@^4.17.21:
-  version "4.17.21"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
-  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+lodash@4, lodash@4.17.21, lodash@4.17.23, lodash@^4.17.21:
+  version "4.17.23"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.23.tgz#f113b0378386103be4f6893388c73d0bde7f2c5a"
+  integrity sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==
 
 log-update@^4.0.0:
   version "4.0.0"
