From 3a024843785651b7f4062cd8cca4354bdd65541e Mon Sep 17 00:00:00 2001
From: Lotus Bot <lotus@lotusguild.org>
Date: Thu, 21 May 2026 22:01:31 -0400
Subject: [PATCH] fix: lodash 4.17.21->4.18.1, revert giphy upgrade (worse
 vulns)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

lodash >= 4.18.0 patches prototype-pollution (GHSA-f23m-r3pf-42rh) and
code-injection (GHSA-r5fr-rjxr-66jc) used by slate-dom/slate-react in
the deployed bundle.

Attempted @giphy/react-components@10.1.2 upgrade but it pulled in new
high-severity lodash and js-cookie vulns — net regression, reverted.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package-lock.json | 23 ++++++++++++++++-------
 package.json      |  3 ++-
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 74e8eb320..7ddd90bc1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,7 +15,7 @@
         "@atlaskit/pragmatic-drag-and-drop-hitbox": "1.0.3",
         "@fontsource/inter": "4.5.14",
         "@giphy/js-fetch-api": "5.8.0",
-        "@giphy/js-types": "5.1.0",
+        "@giphy/js-types": "4.3.0",
         "@giphy/react-components": "1.6.0",
         "@sentry/react": "10.53.1",
         "@tanstack/react-query": "5.24.1",
@@ -47,6 +47,7 @@
         "jotai": "2.6.0",
         "linkify-react": "4.3.2",
         "linkifyjs": "4.3.2",
+        "lodash": "4.18.1",
         "matrix-js-sdk": "38.2.0",
         "matrix-widget-api": "1.16.1",
         "millify": "6.1.0",
@@ -2632,9 +2633,9 @@
       }
     },
     "node_modules/@giphy/js-types": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/@giphy/js-types/-/js-types-5.1.0.tgz",
-      "integrity": "sha512-BZYCDtYNRR7cUWkbDLB4wmm3qmWMsVCQdUiBNOfmZ3yAazCgygKJoDI/5Rq4CK5MBaOc5LVdF8viC2WtoBdaPA==",
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/@giphy/js-types/-/js-types-4.3.0.tgz",
+      "integrity": "sha512-uRzuHz58W/Locbr0xJqFhXtZqURLvjMFrQ2ZsFP5zuKf2vfvmAjRhTMN9rozfxpZWtRPhR8+oitEcrsFyMKeog==",
       "license": "MIT"
     },
     "node_modules/@giphy/js-util": {
@@ -8412,6 +8413,13 @@
         "node": ">=10"
       }
     },
+    "node_modules/commitizen/node_modules/lodash": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/commitizen/node_modules/minimist": {
       "version": "1.2.7",
       "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz",
@@ -13200,9 +13208,10 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "license": "MIT"
     },
     "node_modules/lodash-es": {
       "version": "4.18.1",
diff --git a/package.json b/package.json
index b5daa7442..0deb961bf 100644
--- a/package.json
+++ b/package.json
@@ -68,7 +68,7 @@
     "@atlaskit/pragmatic-drag-and-drop-hitbox": "1.0.3",
     "@fontsource/inter": "4.5.14",
     "@giphy/js-fetch-api": "5.8.0",
-    "@giphy/js-types": "5.1.0",
+    "@giphy/js-types": "4.3.0",
     "@giphy/react-components": "1.6.0",
     "@sentry/react": "10.53.1",
     "@tanstack/react-query": "5.24.1",
@@ -100,6 +100,7 @@
     "jotai": "2.6.0",
     "linkify-react": "4.3.2",
     "linkifyjs": "4.3.2",
+    "lodash": "4.18.1",
     "matrix-js-sdk": "38.2.0",
     "matrix-widget-api": "1.16.1",
     "millify": "6.1.0",