node-lodash - Debian Package Tracker

general

source: node-lodash (main)
version: 4.18.1+dfsg-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Pirate Praveen [DMD] – Matthew Pideil [DMD] – Valentin OVD [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.17.21+dfsg+~cs8.31.173-1
oldstable: 4.17.21+dfsg+~cs8.31.198.20210220-9
stable: 4.17.21+dfsg+~cs8.31.198.20210220-9
testing: 4.17.23+dfsg-1
unstable: 4.18.1+dfsg-1

versioned links

4.17.21+dfsg+~cs8.31.173-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.17.21+dfsg+~cs8.31.198.20210220-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.17.23+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.18.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libjs-lodash
node-lodash (1 bugs: 0, 1, 0, 0)
node-lodash-packages

action needed

3 security issues in trixie high

There are 3 open security issues in trixie.

2 important issues:

CVE-2026-2950: Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

1 issue left for the package maintainer to handle:

CVE-2025-13465: (needs triaging) Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-21 Last update: 2026-04-03 14:32

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-2950: Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Created: 2026-04-01 Last update: 2026-04-03 14:32

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2026-2950: Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
CVE-2025-13465: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Created: 2026-01-21 Last update: 2026-04-03 14:32

3 security issues in bookworm high

There are 3 open security issues in bookworm.

2 important issues:

CVE-2026-2950: Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

1 issue left for the package maintainer to handle:

CVE-2025-13465: (needs triaging) Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-21 Last update: 2026-04-03 14:32

lintian reports 19 warnings high

Lintian reports 19 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2026-04-02 18:00

debian/patches: 2 patches to forward upstream low

Among the 4 debian patches available in version 4.18.1+dfsg-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-02 16:02

testing migrations

excuses:
- Migration status for node-lodash (4.17.23+dfsg-1 to 4.18.1+dfsg-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 2 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-lodash.html
- ∙ ∙ Autopkgtest for node-lodash/4.18.1+dfsg-1: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻, riscv64: No tests, superficial or marked flaky ♻, s390x: No tests, superficial or marked flaky ♻
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproduced on ppc64el
- Not considered

news

[rss feed]

[2026-04-02] Accepted node-lodash 4.18.1+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2026-02-12] node-lodash 4.17.23+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-02-06] Accepted node-lodash 4.17.23+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2026-02-01] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-10 (source) into unstable (Utkarsh Gupta)
[2022-05-29] node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-9 MIGRATED to testing (Debian testing watch)
[2022-05-23] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-9 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-04-15] node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-8 MIGRATED to testing (Debian testing watch)
[2022-04-07] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-8 (source) into unstable (Jérémy Lal)
[2022-04-06] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-7 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-03-19] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-6 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2021-12-15] node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-5 MIGRATED to testing (Debian testing watch)
[2021-12-10] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-12-08] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-12-08] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-3 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2021-11-28] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-2 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2021-11-28] Accepted node-lodash 4.17.21+dfsg+~cs8.31.198.20210220-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2021-10-12] node-lodash 4.17.21+dfsg+~cs8.31.196.20210220-2 MIGRATED to testing (Debian testing watch)
[2021-10-06] Accepted node-lodash 4.17.21+dfsg+~cs8.31.196.20210220-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-10-06] Accepted node-lodash 4.17.21+dfsg+~cs8.31.196.20210220-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-10-04] Accepted node-lodash 4.17.21+dfsg+~cs8.31.189.20210220-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2021-10-02] Accepted node-lodash 4.17.21+dfsg+~cs8.31.189.20210220-2~bpo11+1 (source all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2021-08-21] node-lodash 4.17.21+dfsg+~cs8.31.189.20210220-2 MIGRATED to testing (Debian testing watch)
[2021-08-15] Accepted node-lodash 4.17.21+dfsg+~cs8.31.189.20210220-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-04-20] Accepted node-lodash 4.17.21+dfsg+~cs8.31.189.20210220-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-03-18] node-lodash 4.17.21+dfsg+~cs8.31.173-1 MIGRATED to testing (Debian testing watch)
[2021-03-13] Accepted node-lodash 4.17.21+dfsg+~cs8.31.173-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-01-12] node-lodash 4.17.20+dfsg+~cs8.31.172-1 MIGRATED to testing (Debian testing watch)
[2021-01-09] Accepted node-lodash 4.17.20+dfsg+~cs8.31.170-1~bpo10+1 (source all) into buster-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-01-07] Accepted node-lodash 4.17.20+dfsg+~cs8.31.172-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-11-22] node-lodash 4.17.20+dfsg+~cs8.31.170-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 19)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.17.23+dfsg-1
1 bug