build(deps-dev): bump lodash from 4.17.21 to 4.17.23

[dependabot]

Bumps lodash from 4.17.21 to 4.17.23.

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

Pull Request Review: build(deps-dev): bump lodash from 4.17.21 to 4.17.23

Summary

This PR updates lodash from version 4.17.21 to 4.17.23, a dependency update managed by Dependabot. The update includes security fixes and maintenance improvements.

Code Quality and Best Practices ✅

Positive aspects:

• Automated dependency management through Dependabot
• Only updates lockfile (pnpm-lock.yaml), no source code changes needed
• Semantic versioning maintained (patch version bump)
• Uses lodash with tree-shaking friendly imports (e.g., import debounce from 'lodash/debounce') in most places

Areas for consideration:

• One file imports the entire lodash namespace (import * as lodash from 'lodash' in client/src/javascript/components/sidebar/DiskUsage.tsx:6), which could be optimized to import only round for better bundle size

Security Concerns ✅

Security fix included:
The update from 4.17.21 to 4.17.23 includes an important security fix for prototype pollution in the baseUnset function (see commit edadd45 in the changelog). This is a critical security improvement.

Impact assessment:

• lodash is listed as a devDependency
• Used in client-side code for utilities: uniqueId, debounce, sortedIndex, and round
• Also used by build tools (concurrently, html-webpack-plugin, pretty-error, renderkid)
• No direct security risk exposure in production runtime, but important for development security

Potential Bugs or Issues ✅

No breaking changes detected:

• Patch version update (4.17.21 → 4.17.23) follows semantic versioning
• Changes are backward compatible
• Usage patterns in codebase are simple utility functions that are not affected by the updates

Transitive updates:
The lockfile shows several transitive dependency updates:

• @babel/code-frame: 7.27.1 → 7.28.6
• @babel/runtime: 7.28.4 → 7.28.6
• @babel/helper-validator-identifier: added 7.28.5
• diff: 4.0.2 → 4.0.4

These are all maintenance updates that should not introduce issues.

Performance Considerations ✅

No performance regressions expected:

• The update includes only bug fixes and documentation improvements
• No API changes that would affect performance
• Existing usage is minimal and straightforward (utility functions only)

Optimization opportunity:
Consider refactoring DiskUsage.tsx:6 from:

import * as lodash from 'lodash';
// Used as: lodash.round()

to:

import round from 'lodash/round';
// Used as: round()

This would improve tree-shaking and reduce bundle size (though this is not blocking for this PR).

Test Coverage ⚠️

Considerations:

• No test changes included (expected for a lockfile-only dependency update)
• Existing test suite should validate that no regressions were introduced
• Recommend running full test suite and build before merging
• CI checks should verify compatibility

Additional Notes

What's included in lodash 4.17.23:

1. Security fix: Prevent prototype pollution on baseUnset function
2. JSDoc improvements
3. Documentation fixes
4. CI/CD improvements

Recommendation: ✅ APPROVE

This is a straightforward security and maintenance update that should be merged. The changes are minimal, backward compatible, and include important security fixes. The transitive dependency updates are also appropriate maintenance updates.

Before merging:

• Ensure CI passes (build, tests, linting)
• Consider the optimization suggestion for DiskUsage.tsx as a follow-up improvement (not blocking)