From 3eb373ed89f2b10df65f8a570a9a181bed4bd7e6 Mon Sep 17 00:00:00 2001
From: pmckinney-codat <p.mckinney@codat.io>
Date: Wed, 25 Feb 2026 19:05:39 +0000
Subject: [PATCH] Fix lodash-es prototype pollution vulnerability via npm
 override

Add npm override to force all nested lodash-es copies to 4.17.23,
resolving the prototype pollution vulnerability (GHSA-xxjr-mmjv-4gpg)
in transitive dependencies from chevrotain packages. Reduces total
vulnerability count from 69 to 61.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package-lock.json | 18 ------------------
 package.json      |  3 +++
 2 files changed, 3 insertions(+), 18 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index fbdd63af5..611dfb9aa 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2184,12 +2184,6 @@
         "lodash-es": "4.17.21"
       }
     },
-    "node_modules/@chevrotain/cst-dts-gen/node_modules/lodash-es": {
-      "version": "4.17.21",
-      "resolved": "https://pkgs.dev.azure.com/codat/Codat/_packaging/codat-npm/npm/registry/lodash-es/-/lodash-es-4.17.21.tgz",
-      "integrity": "sha1-Q+YmxG5lkbd1C+srUBFzkMYJ4+4=",
-      "license": "MIT"
-    },
     "node_modules/@chevrotain/gast": {
       "version": "11.0.3",
       "resolved": "https://pkgs.dev.azure.com/codat/Codat/_packaging/codat-npm/npm/registry/@chevrotain/gast/-/gast-11.0.3.tgz",
@@ -2200,12 +2194,6 @@
         "lodash-es": "4.17.21"
       }
     },
-    "node_modules/@chevrotain/gast/node_modules/lodash-es": {
-      "version": "4.17.21",
-      "resolved": "https://pkgs.dev.azure.com/codat/Codat/_packaging/codat-npm/npm/registry/lodash-es/-/lodash-es-4.17.21.tgz",
-      "integrity": "sha1-Q+YmxG5lkbd1C+srUBFzkMYJ4+4=",
-      "license": "MIT"
-    },
     "node_modules/@chevrotain/regexp-to-ast": {
       "version": "11.0.3",
       "resolved": "https://pkgs.dev.azure.com/codat/Codat/_packaging/codat-npm/npm/registry/@chevrotain/regexp-to-ast/-/regexp-to-ast-11.0.3.tgz",
@@ -10451,12 +10439,6 @@
         "chevrotain": "^11.0.0"
       }
     },
-    "node_modules/chevrotain/node_modules/lodash-es": {
-      "version": "4.17.21",
-      "resolved": "https://pkgs.dev.azure.com/codat/Codat/_packaging/codat-npm/npm/registry/lodash-es/-/lodash-es-4.17.21.tgz",
-      "integrity": "sha1-Q+YmxG5lkbd1C+srUBFzkMYJ4+4=",
-      "license": "MIT"
-    },
     "node_modules/chokidar": {
       "version": "3.6.0",
       "resolved": "https://pkgs.dev.azure.com/codat/Codat/_packaging/codat-npm/npm/registry/chokidar/-/chokidar-3.6.0.tgz",
diff --git a/package.json b/package.json
index 0ebc95699..ab2c277cf 100644
--- a/package.json
+++ b/package.json
@@ -75,5 +75,8 @@
   },
   "engines": {
     "node": ">=20.0 <25"
+  },
+  "overrides": {
+    "lodash-es": "4.17.23"
   }
 }