chore(deps): update dependency lodash to v4.17.21 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
lodash (source)	4.17.19 -> 4.17.21

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-23337

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVE-2020-28500

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0) var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1) var time2 = Date.now();
lo.trimEnd(s) var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2)

CVE-2020-8203

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

---

Release Notes

lodash/lodash (lodash)

v4.17.21

Compare Source

v4.17.20

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm WARN cli npm v10.2.0 does not support Node.js v16.15.0. This version of npm supports the following node versions: `^18.17.0 || >=20.5.0`. You can find the latest version at https://nodejs.org/.
npm WARN cli npm v10.2.0 does not support Node.js v16.15.0. This version of npm supports the following node versions: `^18.17.0 || >=20.5.0`. You can find the latest version at https://nodejs.org/.
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @angular/[email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/zone.js
npm ERR!   zone.js@"0.10.3" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer zone.js@"^0.7.2" from @angular/[email protected]
npm ERR! node_modules/@angular/core
npm ERR!   @angular/core@"2.4.10" from the root project
npm ERR!   peer @angular/core@"2.4.10" from @angular/[email protected]
npm ERR!   node_modules/@angular/common
npm ERR!     @angular/common@"2.4.10" from the root project
npm ERR!     5 more (@angular/forms, @angular/platform-browser, ...)
npm ERR!   8 more (@angular/compiler, @angular/compiler-cli, ...)
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/zone.js
npm ERR!   peer zone.js@"^0.7.2" from @angular/[email protected]
npm ERR!   node_modules/@angular/core
npm ERR!     @angular/core@"2.4.10" from the root project
npm ERR!     peer @angular/core@"2.4.10" from @angular/[email protected]
npm ERR!     node_modules/@angular/common
npm ERR!       @angular/common@"2.4.10" from the root project
npm ERR!       5 more (@angular/forms, @angular/platform-browser, ...)
npm ERR!     8 more (@angular/compiler, @angular/compiler-cli, ...)
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 
npm ERR! For a full report see:
npm ERR! /tmp/worker/600db4/950e06/cache/others/npm/_logs/2023-10-18T11_29_57_767Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in: /tmp/worker/600db4/950e06/cache/others/npm/_logs/2023-10-18T11_29_57_767Z-debug-0.log

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
2 Vulnerabilities
0 Security Hotspots
2 Code Smells

0.0% Coverage
0.0% Duplication

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (4.17.21). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.