chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
lodash	4.17.23	4.18.1
turbo	2.1.3	2.9.18
vitest	3.2.4	3.2.6
flatted	3.3.1	3.4.2
minimatch	3.1.2	3.1.5
postcss	8.5.6	8.5.15

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates turbo from 2.1.3 to 2.9.18

Release notes

Sourced from turbo's releases.

Turborepo v2.9.18

What's Changed

Changelog

• release(turborepo): 2.9.17 by @​github-actions[bot] in vercel/turborepo#13047
• ci: Fetch version.txt via API in docs alias failure notification by @​anthonyshew in vercel/turborepo#13050
• fix: Harden cache archive symlink restore by @​anthonyshew in vercel/turborepo#13051
• chore: Remove web UI mode by @​anthonyshew in vercel/turborepo#13052
• fix: Harden query server file access by @​anthonyshew in vercel/turborepo#13053
• fix: Confine prune patch paths by @​anthonyshew in vercel/turborepo#13054
• fix: Prevent git argument injection in SCM refs by @​anthonyshew in vercel/turborepo#13055
• fix: Strip special mode bits from cache restore by @​anthonyshew in vercel/turborepo#13056
• fix: Contain incremental cache outputs by @​anthonyshew in vercel/turborepo#13057
• fix(turborepo): Normalize Windows daemon path hash by @​Balance8 in vercel/turborepo#13020
• fix: Preserve vt100 cell byte counts by @​anthonyshew in vercel/turborepo#13058
• fix: Separate artifact signature fields by @​anthonyshew in vercel/turborepo#13059
• fix: Validate OidHash hex buffers by @​anthonyshew in vercel/turborepo#13060
• fix: Block self-hosted login URLs from attempting to use Vercel's SSO by @​anthonyshew in vercel/turborepo#13061

New Contributors

• @​Balance8 made their first contribution in vercel/turborepo#13020

Full Changelog: vercel/turborepo@v2.9.17...v2.9.18

Turborepo v2.9.17

What's Changed

Changelog

• fix: Keep non-PTY stdin alive for persistent tasks by @​anthonyshew in vercel/turborepo#12972
• release(turborepo): 2.9.16 by @​github-actions[bot] in vercel/turborepo#12970
• release(turborepo): 2.9.17-canary.1 by @​github-actions[bot] in vercel/turborepo#12973
• fix: Add auth HTTP timeouts by @​anthonyshew in vercel/turborepo#12976
• fix: Detect affected root tasks in query by @​anthonyshew in vercel/turborepo#12977
• fix: Wait for Windows graceful shutdown by @​anthonyshew in vercel/turborepo#12979
• release(turborepo): 2.9.17-canary.2 by @​github-actions[bot] in vercel/turborepo#12980
• test: Skip installs for JSON output fixtures by @​anthonyshew in vercel/turborepo#12981
• feat: Add Rsbuild examples by @​Nsttt in vercel/turborepo#12942
• test: Skip installs for single package dry runs by @​anthonyshew in vercel/turborepo#12982
• test: Skip Corepack setup without installs by @​anthonyshew in vercel/turborepo#12983
• test: Skip installs for metadata-only Rust tests by @​anthonyshew in vercel/turborepo#12985
• test: Skip remaining unnecessary fixture installs by @​anthonyshew in vercel/turborepo#12986
• test: Add final hash contract snapshots by @​anthonyshew in vercel/turborepo#12984
• test: Trim run logging integration matrix by @​anthonyshew in vercel/turborepo#12987
• test: Trim affected query integration matrix by @​anthonyshew in vercel/turborepo#12988
• test: Narrow Windows integration test group by @​anthonyshew in vercel/turborepo#12989
• test: Trim task dependency integration coverage by @​anthonyshew in vercel/turborepo#12990
• test: Trim affected integration coverage by @​anthonyshew in vercel/turborepo#12991
• test: Collapse integration test matrices by @​anthonyshew in vercel/turborepo#12992

... (truncated)

Commits

• 3bdce32 publish 2.9.18 to registry
• 2a76556 fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061)
• da8e348 fix: Validate OidHash hex buffers (#13060)
• 3018717 fix: Separate artifact signature fields (#13059)
• 34514e2 fix: Preserve vt100 cell byte counts (#13058)
• 24e2d34 fix(turborepo): Normalize Windows daemon path hash (#13020)
• 16dc881 fix: Contain incremental cache outputs (#13057)
• 92e1f8e fix: Strip special mode bits from cache restore (#13056)
• f46f896 fix: Prevent git argument injection in SCM refs (#13055)
• 7f353ca fix: Confine prune patch paths (#13054)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for turbo since your current version.

Updates vitest from 3.2.4 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

• Pin last supported vite-node version  -  by @​sheremet-va (16f12)

    View changes on GitHub

v3.2.5

   🚀 Features

• api: Add allowWrite and allowExec options to api [backport to v3]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10445 (af88b)

   🐞 Bug Fixes

• browser: Disable client cdp API when allowWrite/allowExec: false [backport to v3]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10456 (385a1)

    View changes on GitHub

Commits

• b6d56f8 chore: release v3.2.6
• 16f120d fix: pin last supported vite-node version
• 2cbad0a chore: release v3.2.5
• 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Updates flatted from 3.3.1 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• eae46db Release 8.5.15 version
• 79508ff Update CI actions
• b128e21 Speed up declaration parsing by avoiding creating new array on each token
• 9825dca Fix code format
• 55789c8 Update dependencies
• 84fbbe9 Install older pnpm action for old Node.js
• 9f860bd Revert pnpm action for old Node.js
• 0877198 Update CI actions
• b2d1a33 Fix linter warnings
• 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
• Additional commits viewable in compare view

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vitest@​3.2.4 ⏵ 3.2.6	+1	+75	+1
	lodash@​4.18.1
	turbo@​2.1.3 ⏵ 2.9.18	+2	+3	+20

View full report

[dependabot]

Superseded by #266.