Inquiry about lodash dependency updates

## Summary
We're downstream users of jsonwebtoken (via cf-nodejs-logging-support) and noticed PR #1022 addressing lodash vulnerabilities. Would appreciate any information about the status of this PR.

## Impact
Our security scans flag jsonwebtoken@9.0.3 due to vulnerable lodash sub-packages including lodash.includes, lodash.isnumber, lodash.isboolean, etc.

**CVEs:**
- CVE-2026-4800 (CVSS 9.8) - Command Injection
- CVE-2019-10744 (CVSS 9.1) - Prototype Pollution
- CVE-2021-23337 (CVSS 7.2) - Command Injection
- CVE-2020-8203 (CVSS 7.4) - Prototype Pollution

## Question
If possible, could you share:
1. Any updates on PR #1022?
2. Approximate timeline for a release?
3. Whether there's anything blocking progress that we might help with?

We're available to help with testing if useful.

## Context
- **Dependency chain:** Our app → cf-nodejs-logging-support@7.4.5 → jsonwebtoken@9.0.3

## References
- PR #1022


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Inquiry about lodash dependency updates #1023

Summary

Impact

Question

Context

References

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Inquiry about lodash dependency updates #1023

Description

Summary

Impact

Question

Context

References

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions