chore(deps): bump lodash-es from 4.17.21 to 4.18.1

[dependabot]

Bumps lodash-es from 4.17.21 to 4.18.1.

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

[changeset-bot]

⚠️ No Changeset found

Latest commit: df40586

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[netlify]

✅ Deploy Preview for module-federation-docs ready!

Name	Link
🔨 Latest commit	df40586
🔍 Latest deploy log	https://app.netlify.com/projects/module-federation-docs/deploys/69dc6abce723eb000884db26
😎 Deploy Preview	https://deploy-preview-4617--module-federation-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cafbb305fd

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep lockfile updates scoped to the lodash-es bump

This dependency-update commit is supposed to change lodash-es for packages/rspress-plugin, but the lockfile also changes unrelated resolution state (for example, openai now resolves with ws@8.20.0 despite no openai/ws manifest change). Pulling in broad, unreviewed lockfile churn in a single-package security bump increases regression risk in other parts of the workspace and makes rollback/audit harder; please regenerate pnpm-lock.yaml with a targeted lockfile-only update so only lodash-es-related entries move.

Useful? React with 👍 / 👎.

[pkg-pr-new]

Open in StackBlitz

@module-federation/devtools

pnpm add https://pkg.pr.new/@module-federation/devtools@df40586

@module-federation/cli

pnpm add https://pkg.pr.new/@module-federation/cli@df40586

create-module-federation

pnpm add https://pkg.pr.new/create-module-federation@df40586

@module-federation/data-prefetch

pnpm add https://pkg.pr.new/@module-federation/data-prefetch@df40586

@module-federation/dts-plugin

pnpm add https://pkg.pr.new/@module-federation/dts-plugin@df40586

@module-federation/enhanced

pnpm add https://pkg.pr.new/@module-federation/enhanced@df40586

@module-federation/error-codes

pnpm add https://pkg.pr.new/@module-federation/error-codes@df40586

@module-federation/esbuild

pnpm add https://pkg.pr.new/@module-federation/esbuild@df40586

@module-federation/managers

pnpm add https://pkg.pr.new/@module-federation/managers@df40586

@module-federation/manifest

pnpm add https://pkg.pr.new/@module-federation/manifest@df40586

@module-federation/metro

pnpm add https://pkg.pr.new/@module-federation/metro@df40586

@module-federation/metro-plugin-rnc-cli

pnpm add https://pkg.pr.new/@module-federation/metro-plugin-rnc-cli@df40586

@module-federation/metro-plugin-rnef

pnpm add https://pkg.pr.new/@module-federation/metro-plugin-rnef@df40586

@module-federation/modern-js

pnpm add https://pkg.pr.new/@module-federation/modern-js@df40586

@module-federation/modern-js-v3

pnpm add https://pkg.pr.new/@module-federation/modern-js-v3@df40586

@module-federation/native-federation-tests

pnpm add https://pkg.pr.new/@module-federation/native-federation-tests@df40586

@module-federation/native-federation-typescript

pnpm add https://pkg.pr.new/@module-federation/native-federation-typescript@df40586

@module-federation/nextjs-mf

pnpm add https://pkg.pr.new/@module-federation/nextjs-mf@df40586

@module-federation/node

pnpm add https://pkg.pr.new/@module-federation/node@df40586

@module-federation/retry-plugin

pnpm add https://pkg.pr.new/@module-federation/retry-plugin@df40586

@module-federation/rsbuild-plugin

pnpm add https://pkg.pr.new/@module-federation/rsbuild-plugin@df40586

@module-federation/rspack

pnpm add https://pkg.pr.new/@module-federation/rspack@df40586

@module-federation/rspress-plugin

pnpm add https://pkg.pr.new/@module-federation/rspress-plugin@df40586

@module-federation/runtime

pnpm add https://pkg.pr.new/@module-federation/runtime@df40586

@module-federation/runtime-core

pnpm add https://pkg.pr.new/@module-federation/runtime-core@df40586

@module-federation/runtime-tools

pnpm add https://pkg.pr.new/@module-federation/runtime-tools@df40586

@module-federation/sdk

pnpm add https://pkg.pr.new/@module-federation/sdk@df40586

@module-federation/storybook-addon

pnpm add https://pkg.pr.new/@module-federation/storybook-addon@df40586

@module-federation/third-party-dts-extractor

pnpm add https://pkg.pr.new/@module-federation/third-party-dts-extractor@df40586

@module-federation/treeshake-frontend

pnpm add https://pkg.pr.new/@module-federation/treeshake-frontend@df40586

@module-federation/treeshake-server

pnpm add https://pkg.pr.new/@module-federation/treeshake-server@df40586

@module-federation/typescript

pnpm add https://pkg.pr.new/@module-federation/typescript@df40586

@module-federation/utilities

pnpm add https://pkg.pr.new/@module-federation/utilities@df40586

@module-federation/webpack-bundler-runtime

pnpm add https://pkg.pr.new/@module-federation/webpack-bundler-runtime@df40586

@module-federation/bridge-react

pnpm add https://pkg.pr.new/@module-federation/bridge-react@df40586

@module-federation/bridge-react-webpack-plugin

pnpm add https://pkg.pr.new/@module-federation/bridge-react-webpack-plugin@df40586

@module-federation/bridge-shared

pnpm add https://pkg.pr.new/@module-federation/bridge-shared@df40586

@module-federation/bridge-vue3

pnpm add https://pkg.pr.new/@module-federation/bridge-vue3@df40586

@module-federation/inject-external-runtime-core-plugin

pnpm add https://pkg.pr.new/@module-federation/inject-external-runtime-core-plugin@df40586

commit: df40586

[github-actions]

Bundle Size Report

10 package(s) changed, 30 unchanged.

Package dist + ESM entry

Package	Total dist (raw)	Delta	ESM gzip	Delta
@module-federation/cli	26.3 kB	no change	786 B	no change
@module-federation/core	39.1 kB	no change	173 B	no change
@module-federation/devtools	481.4 kB	no change	3.9 kB	no change
@module-federation/enhanced	812.9 kB	no change	672 B	no change
@module-federation/managers	69.8 kB	no change	334 B	no change
@module-federation/manifest	138.0 kB	no change	182 B	no change
@module-federation/metro-plugin-rnc-cli	0 B	no change	314 B	no change
@module-federation/node	189.1 kB	no change	217 B	no change
@module-federation/storybook-addon	77.3 kB	no change	100 B	no change
@module-federation/utilities	110.6 kB	no change	328 B	no change

Bundle targets

Package	Web bundle (gzip)	Delta	Node bundle (gzip)	Delta
@module-federation/cli	2.3 kB	-35 B (-1.5%)	2.3 kB	-35 B (-1.5%)
@module-federation/core	1.1 kB	-33 B (-2.9%)	1.0 kB	-32 B (-3.0%)
@module-federation/devtools	21.3 kB	-26 B (-0.1%)	21.3 kB	-26 B (-0.1%)
@module-federation/enhanced	2.6 kB	-46 B (-1.7%)	2.6 kB	-46 B (-1.7%)
@module-federation/managers	2.4 kB	-28 B (-1.1%)	2.4 kB	-28 B (-1.1%)
@module-federation/manifest	6.2 kB	-38 B (-0.6%)	6.2 kB	-38 B (-0.6%)
@module-federation/metro-plugin-rnc-cli	411 B	-27 B (-6.2%)	411 B	-27 B (-6.2%)
@module-federation/node	9.2 kB	-29 B (-0.3%)	9.2 kB	-29 B (-0.3%)
@module-federation/storybook-addon	1.9 kB	-25 B (-1.3%)	1.7 kB	-25 B (-1.4%)
@module-federation/utilities	2.6 kB	-33 B (-1.2%)	2.6 kB	-33 B (-1.2%)

Consumer scenarios

Scenario	Web output (gzip)	Delta	Node output (gzip)	Delta	Gap (node-web)	Delta
Enhanced remoteEntry	19.8 kB	-13 B (-0.1%)	20.8 kB	-15 B (-0.1%)	+1.0 kB	-2 B

Total dist (raw): 6.31 MB (no change)
Total ESM gzip: 73.9 kB (no change)
Total web bundle (gzip): 179.4 kB (-320 B (-0.2%))
Total node bundle (gzip): 179.9 kB (-319 B (-0.2%))
Tracked ./bundler entry gzip: 556 B (no change)
Tracked ./bundler web bundle (gzip): 4.8 kB (no change)
Tracked ./bundler node bundle (gzip): 4.8 kB (no change)

Bundle sizes are generated with rslib (Rspack). Package-root metrics preserve the historical report. Tracked subpath exports such as ./bundler are measured separately so ENV_TARGET-driven tree-shaking is visible. Bare imports are externalized to keep package-level sizes consistent, and assets are emitted as resources.