MGMT-23747: Upgrade lodash to 4.18.0

[jgyselov]

https://redhat.atlassian.net/browse/MGMT-23747

Summary by CodeRabbit

• Chores
  • Updated lodash and lodash-es to version 4.18.1 across the project — applied in multiple packages and pinned in the root dependency resolutions.

[openshift-ci-robot]

@jgyselov: This pull request references MGMT-23747 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.22.0" version, but no target version was set.

Details

In response to this:

https://redhat.atlassian.net/browse/MGMT-23747

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jgyselov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jgyselov]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Rate limit exceeded

@jgyselov has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 4 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 4 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 225c9461-b855-43de-901a-5ab7cb58d70f

📥 Commits

Reviewing files that changed from the base of the PR and between 9d00b50 and 806236b.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• apps/assisted-disconnected-ui/package.json
• apps/assisted-ui/package.json
• libs/ui-lib-tests/package.json
• package.json
• tools/toolbox/package.json

📝 Walkthrough

Walkthrough

Lodash dependency updated from ^4.17.23 to ^4.18.1 across multiple package.json files in the monorepo, with top-level Yarn resolutions also updated to pin lodash and lodash-es to ^4.18.1.

Changes

Cohort / File(s)	Summary
App packages apps/assisted-disconnected-ui/package.json, apps/assisted-ui/package.json	Bumped lodash dependency from ^4.17.23 to ^4.18.1.
Library tests libs/ui-lib-tests/package.json	Bumped lodash dependency from ^4.17.23 to ^4.18.1.
Tooling tools/toolbox/package.json	Bumped lodash dependency from ^4.17.23 to ^4.18.1.
Monorepo resolutions package.json	Updated Yarn resolutions to pin lodash and lodash-es to ^4.18.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• OCPBUGS-74470: bump lodash to ^4.17.23 to address CVE-2025-13465 #3410: Previously modified the same lodash dependency entries (related version bump history).

Suggested labels

lgtm, ok-to-test

Suggested reviewers

• ElayAharoni
• LiorSoffer

Poem

🐰 I hopped through package.json with care,
Pushed lodash up a tiny stair,
Dependencies snug in a neat little row,
Now builds can hop where the new versions go! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: updating lodash to version 4.18.0 across multiple package.json files in the monorepo.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@jgyselov: This pull request references MGMT-23747 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.22.0" version, but no target version was set.

Details

In response to this:

https://redhat.atlassian.net/browse/MGMT-23747

Summary by CodeRabbit

• Chores
• Updated lodash dependency to version 4.18.0 across multiple packages in the project.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 49-50: The package.json currently pins "lodash" and "lodash-es" to
^4.18.0 which is deprecated; update both dependency entries ("lodash" and
"lodash-es") to use version "4.18.1" (remove the ^ if you want an exact pin),
then regenerate lockfile by running your package manager (npm install / npm ci)
so package-lock.json/yarn.lock reflects 4.18.1; ensure the change is committed
and CI passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 80d64790-d099-48f1-9e4d-8880db810558

📥 Commits

Reviewing files that changed from the base of the PR and between 72477b8 and 6fb3386.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• apps/assisted-disconnected-ui/package.json
• apps/assisted-ui/package.json
• libs/ui-lib-tests/package.json
• package.json
• tools/toolbox/package.json

[openshift-ci-robot]

@jgyselov: This pull request references MGMT-23747 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.22.0" version, but no target version was set.

Details

In response to this:

https://redhat.atlassian.net/browse/MGMT-23747

Summary by CodeRabbit

• Chores
• Updated lodash and lodash-es to version 4.18.1 across the project — applied in multiple packages and pinned in the root dependency resolutions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.