fix(deps): vuln minor upgrades — 9 packages (minor: 4 · patch: 5) [php/Laravel57]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 9 packages upgraded (MINOR changes included)

Manifests changed:

• php/Laravel57 (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
lodash	4.17.5	4.18.1	minor	Direct	2 CRITICAL, 7 HIGH, 7 MODERATE
jquery	3.2	3.7.1	minor	Direct	1 HIGH, 7 MODERATE
bootstrap	4.0.0	4.6.2	minor	Direct	8 MODERATE
sass-loader	7.1.0	7.3.1	minor	Direct	-
cross-env	5.1	5.1.6	patch	Direct	-
popper.js	1.12	1.12.9	patch	Direct	-
resolve-url-loader	2.3.1	2.3.2	patch	Direct	-
sass	1.15.2	1.15.3	patch	Direct	-
vue	2.5.17	2.5.22	patch	Direct	1 LOW

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (10 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
lodash	CVE-2019-10744	CRITICAL	-	4.17.5	-
lodash	GHSA-jf85-cpcp-j695	CRITICAL	Prototype Pollution in lodash	4.17.5	4.17.12
jquery	CVE-2020-11023	high	This package is related to CVE CVE-2020-11023 which was detected by cisa.gov as actively being exploited in the wild	3.2	-
lodash	GHSA-35jh-r3h4-6jhm	HIGH	Command Injection in lodash	4.17.5	4.17.21
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.5	4.18.0
lodash	GHSA-4xc9-xhrj-v574	HIGH	Prototype Pollution in lodash	4.17.5	4.17.11
lodash	CVE-2018-16487	HIGH	-	4.17.5	-
lodash	CVE-2021-23337	HIGH	-	4.17.5	-
lodash	CVE-2020-8203	HIGH	-	4.17.5	-
lodash	GHSA-p6mc-m468-83gw	HIGH	Prototype Pollution in lodash	4.17.5	4.17.19

ℹ️ Other Vulnerabilities (23)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
bootstrap	GHSA-pj7m-g53m-7638	MODERATE	Bootstrap Cross-site Scripting vulnerability	4.0.0	4.1.2
bootstrap	CVE-2018-14040	MODERATE	-	4.0.0	-
bootstrap	GHSA-3wqf-4x89-9g79	MODERATE	Bootstrap vulnerable to Cross-Site Scripting (XSS)	4.0.0	4.1.2
bootstrap	CVE-2018-14041	MODERATE	-	4.0.0	-
bootstrap	CVE-2018-14042	MODERATE	-	4.0.0	-
bootstrap	CVE-2019-8331	MODERATE	-	4.0.0	-
bootstrap	GHSA-9v3m-8fp8-mj99	MODERATE	Bootstrap Vulnerable to Cross-Site Scripting	4.0.0	4.3.1
bootstrap	GHSA-7mvr-5x2g-wfc8	MODERATE	Bootstrap Cross-site Scripting vulnerability	4.0.0	4.1.2
jquery	GHSA-jpcq-cgw6-v4j6	MODERATE	Potential XSS vulnerability in jQuery	3.2	3.5.0
jquery	CVE-2020-11022	MODERATE	-	3.2	-
jquery	GHSA-6c3j-c64m-qhgq	MODERATE	XSS in jQuery as used in Drupal, Backdrop CMS, and other products	3.2	3.4.0
jquery	GHSA-gxr4-xjj5-5px2	MODERATE	Potential XSS vulnerability in jQuery	3.2	3.5.0
jquery	CVE-2020-11023	MODERATE	-	3.2	-
jquery	CVE-2019-11358	MODERATE	-	3.2	-
jquery	DRUPAL-CORE-2019-006	MODERATE	-	3.2	-
lodash	CVE-2020-28500	MODERATE	-	4.17.5	-
lodash	GHSA-29mw-wpgm-hmr9	MODERATE	Regular Expression Denial of Service (ReDoS) in lodash	4.17.5	4.17.21
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.5	4.18.0
lodash	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions	4.17.5	4.17.23
lodash	CVE-2025-13465	MODERATE	-	4.17.5	-
lodash	GHSA-x5rq-j2xg-h7qm	MODERATE	Regular Expression Denial of Service (ReDoS) in lodash	4.17.5	4.17.11
lodash	CVE-2019-1010266	MODERATE	-	4.17.5	-
vue	GHSA-5j4c-8p2g-v4jx	LOW	ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function	2.5.17	3.0.0-alpha.0

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System