From 514edf3e96e6c71dd3e2599b9e2bfdc895a6880f Mon Sep 17 00:00:00 2001
From: Bronley Plumb <bronley@gmail.com>
Date: Wed, 20 May 2026 09:48:07 -0400
Subject: [PATCH] fix(ast): update lodash to 4.18.1 to patch security
 vulnerabilities

Lodash 4.17.23 is affected by:
- CVE-2026-2950: prototype pollution bypass in _.unset/_.omit (bypasses
  the fix for CVE-2025-13465 via array-wrapped path segments)
- CVE-2026-4800: code injection in _.template (CVSS 9.8) when untrusted
  input is used as options.imports key names

Bumps the pinned version from 4.17.23 to ^4.18.1 which contains the
patches for both issues. All 26 existing tests continue to pass.
---
 packages/ast/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/ast/package.json b/packages/ast/package.json
index 2843a1e..46ae63c 100644
--- a/packages/ast/package.json
+++ b/packages/ast/package.json
@@ -19,7 +19,7 @@
   "dependencies": {
     "@xml-tools/common": "^0.2.0",
     "@xml-tools/parser": "^1.0.11",
-    "lodash": "4.17.23"
+    "lodash": "^4.18.1"
   },
   "devDependencies": {
     "klaw-sync": "6.0.0"