Skip to content

chore(client): bump lodash to 4.18.1 in design-system packages#41864

Open
subrata71 wants to merge 2 commits into
releasefrom
chore/fix-lodash-version-pins
Open

chore(client): bump lodash to 4.18.1 in design-system packages#41864
subrata71 wants to merge 2 commits into
releasefrom
chore/fix-lodash-version-pins

Conversation

@subrata71
Copy link
Copy Markdown
Collaborator

@subrata71 subrata71 commented Jun 3, 2026
edited by github-actions Bot
Loading

Description

The Yarn resolution for lodash: 4.18.1 was already set in app/client/package.json, which forces the lockfile version. However, Dependabot still flagged 6 alerts because the design-system sub-packages (theming, widgets) and the root package.json declared lodash: ">=4.17.21" as a direct dependency — a range that includes vulnerable versions.

This PR updates the declared version from >=4.17.21 to ^4.18.1 in:

  • app/client/package.json (lodash + lodash-es)
  • app/client/packages/design-system/theming/package.json
  • app/client/packages/design-system/widgets/package.json

The lockfile is regenerated to reflect the new declarations.

Dependabot Alerts Resolved

Fixes https://linear.app/appsmith/issue/APP-15271

Slack thread: https://theappsmith.slack.com/archives/C09NG5BJ18S/p1780304878402439

Testing

  • yarn install completes cleanly
  • lodash resolves to 4.18.1 in the lockfile (forced by existing resolution)
  • No runtime changes — only version declaration alignment

/ok-to-test tags="@tag.All"

Communication
Should the DevRel and Backend teams be notified?

  • No

Summary by CodeRabbit

  • Chores
    • Updated utility library dependencies across application packages to improve compatibility and stability.

Review Change Stack

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/26931519993
Commit: 4270ef4
Cypress dashboard.
Tags: @tag.All
Spec:

Thu, 04 Jun 2026 10:32:04 UTC

@subrata71
chore(client): bump lodash to 4.18.1 in design-system packages
4b59337 
Update lodash version declarations from >=4.17.21 to ^4.18.1 in
root package.json and design-system sub-packages (theming, widgets).
The Yarn resolution was already set but Dependabot flagged the
declared version range in sub-package manifests.

Also update lodash-es from 4.17.21 to ^4.18.1 in root dependencies.

Resolves 6 remaining lodash Dependabot alerts.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 3, 2026
edited
Loading

Walkthrough

The PR updates lodash and lodash-es dependencies to ^4.18.1 across the client application and design system packages, replacing prior minimum-only or pinned version constraints.

Changes

Lodash dependency upgrade

Layer / File(s) Summary
Lodash version constraints across client packages
app/client/package.json, app/client/packages/design-system/theming/package.json, app/client/packages/design-system/widgets/package.json		 Both lodash and lodash-es in the main client package, and lodash in both design system packages, are updated from older minimum constraints (>=4.17.21) and pinned versions (4.17.21) to the compatible range ^4.18.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

📦 Lodash gets an upgrade today,
From 4.17's yesterday,
To 4.18, caret and free,
Three packages now agree! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: updating lodash versions in design-system packages, which is the primary objective of the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed PR description is comprehensive and follows the template structure with clear context, motivation, issue references, and testing details.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/fix-lodash-version-pins

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@subrata71 subrata71 self-assigned this Jun 3, 2026
@subrata71 subrata71 added the ok-to-test Required label for CI label Jun 3, 2026
@subrata71 subrata71 requested a review from ashit-rath June 4, 2026 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashit-rath ashit-rath ashit-rath approved these changes

Assignees

@subrata71 subrata71

Labels

ok-to-test Required label for CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@subrata71 @ashit-rath