Fix lodash-es prototype pollution vulnerability

[pmckinney-codat]

Summary

• Add npm overrides in package.json to force all nested lodash-es copies to 4.17.23
• Resolves prototype pollution vulnerability (GHSA-xxjr-mmjv-4gpg) in transitive dependencies from @chevrotain/cst-dts-gen, @chevrotain/gast, and chevrotain
• Reduces total npm audit vulnerability count from 69 to 61

Details

The lodash-es packages nested inside chevrotain (used by mermaid/langium) were pinned at 4.17.21, which is vulnerable to prototype pollution via _.unset and _.omit. The npm override forces all copies to resolve to 4.17.23 which includes the fix.

Remaining unfixable vulnerabilities (no upstream fix available)

Package	Severity	Reason
lodash ≥4.17.10	moderate	No safe version exists
@isaacs/brace-expansion	high	All versions vulnerable
axios ≥1.6.5	high	All recent versions vulnerable
@sentry/browser <7.119.1	moderate	Locked to 6.x by @StopLight
undici ≥7.12.0	moderate	No fix available

Test plan

• npm install succeeds without errors
• npm audit shows reduced vulnerability count
• Site builds successfully with npm run build

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
codat-docs	Building	Preview, Comment	Feb 25, 2026 7:06pm

[github-actions]

Link check results for preview deployment (https://codat-docs-git-fix-lodash-es-override-codat.vercel.app):

[
  "[401] https://codat-docs-git-fix-lodash-es-override-codat.vercel.app/"
]