Skip to content

build(deps): bump lodash, @grafana/data, @grafana/runtime and @grafana/ui#15

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-50168bd3ae
Open

build(deps): bump lodash, @grafana/data, @grafana/runtime and @grafana/ui#15
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-50168bd3ae

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 9, 2026

Bumps lodash to 4.18.1 and updates ancestor dependencies lodash, @grafana/data, @grafana/runtime and @grafana/ui. These dependencies need to be updated together.

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates @grafana/data from 10.4.19 to 12.4.2

Release notes

Sourced from @​grafana/data's releases.

12.4.2

Download page What's new highlights

Features and enhancements

  • Analytics tab: Improve voice over accessibility (Enterprise)
  • Dashboards a11y: Do not open time zonemenu on focus #120388, @​idastambuk
  • Dashboards: Resolve display names by identity in version history #120273, @​ivanortegaalba
  • Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #120209, @​kevinwcyu
  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120457, @​mmandrus

Bug fixes

12.4.1

Download page What's new highlights

Features and enhancements

Bug fixes

  • AccessControl: Fix test utility for datasource deletion permissions cleanup (Enterprise)
  • Alerting: Change scope for testing new receivers to use supported resource type. #118495, @​yuri-tceretian
  • Alerting: Fix CollateAlertRuleGroup migration for MariaDB compatibility #119028, @​alexander-akhmetov

12.4.0

Download page What's new highlights

Features and enhancements

  • API: Add missing scope check on dashboards #116885, @​Proximyst
  • Alerting Enrichment: Add new RBAC permissions for reading and writing enrichments (Enterprise)
  • Alerting: Add Alert Rules tabs navigation with feature toggle #116253, @​aifraenkel

... (truncated)

Changelog

Sourced from @​grafana/data's changelog.

12.4.2 (2026-03-25)

Features and enhancements

  • Analytics tab: Improve voice over accessibility (Enterprise)
  • Dashboards a11y: Do not open time zonemenu on focus #120388, @​idastambuk
  • Dashboards: Resolve display names by identity in version history #120273, @​ivanortegaalba
  • Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #120209, @​kevinwcyu
  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120457, @​mmandrus

Bug fixes

12.3.6 (2026-03-25)

Features and enhancements

  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120459, @​mmandrus

Bug fixes

12.2.8 (2026-03-25)

Bug fixes

... (truncated)

Commits
  • 46b208c Release: 12.4.1 (#119861)
  • 70a1120 Release: Bump version to 12.4.1 (#118387)
  • 5db39c9 Alerting: Add alertingSyncNotifiersApiMigration feature flag (#117946)
  • 7e493b8 Add ds config validaton api (#117788)
  • 5bc6364 Alerting: Add FF to control NoData and Error pending behavior (#117931)
  • 6af65ea IAM: Extend teambinding store, introduce kubernetesTeamSync feature toggle (...
  • d7b5508 Reroute GET /api/datasources/uid/:uid to the /apis handlers (#116678)
  • 3a53c09 QueryCaching: Get defaults ttl from frontend settings - Frontend Code (#117928)
  • d515014 Secrets Keeper: Add secretsKeeperUI feature flag (#117427)
  • ae4999c Live: select orgId or namespace based on backend capabilities (#117852)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​grafana/data since your current version.


Updates @grafana/runtime from 10.4.19 to 12.4.2

Release notes

Sourced from @​grafana/runtime's releases.

12.4.2

Download page What's new highlights

Features and enhancements

  • Analytics tab: Improve voice over accessibility (Enterprise)
  • Dashboards a11y: Do not open time zonemenu on focus #120388, @​idastambuk
  • Dashboards: Resolve display names by identity in version history #120273, @​ivanortegaalba
  • Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #120209, @​kevinwcyu
  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120457, @​mmandrus

Bug fixes

12.4.1

Download page What's new highlights

Features and enhancements

Bug fixes

  • AccessControl: Fix test utility for datasource deletion permissions cleanup (Enterprise)
  • Alerting: Change scope for testing new receivers to use supported resource type. #118495, @​yuri-tceretian
  • Alerting: Fix CollateAlertRuleGroup migration for MariaDB compatibility #119028, @​alexander-akhmetov

12.4.0

Download page What's new highlights

Features and enhancements

  • API: Add missing scope check on dashboards #116885, @​Proximyst
  • Alerting Enrichment: Add new RBAC permissions for reading and writing enrichments (Enterprise)
  • Alerting: Add Alert Rules tabs navigation with feature toggle #116253, @​aifraenkel

... (truncated)

Changelog

Sourced from @​grafana/runtime's changelog.

12.4.2 (2026-03-25)

Features and enhancements

  • Analytics tab: Improve voice over accessibility (Enterprise)
  • Dashboards a11y: Do not open time zonemenu on focus #120388, @​idastambuk
  • Dashboards: Resolve display names by identity in version history #120273, @​ivanortegaalba
  • Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #120209, @​kevinwcyu
  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120457, @​mmandrus

Bug fixes

12.3.6 (2026-03-25)

Features and enhancements

  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120459, @​mmandrus

Bug fixes

12.2.8 (2026-03-25)

Bug fixes

... (truncated)

Commits
  • 46b208c Release: 12.4.1 (#119861)
  • 70a1120 Release: Bump version to 12.4.1 (#118387)
  • 5de0ffe OpenFeature: Refactor frontend usage (#117573)
  • 3a53c09 QueryCaching: Get defaults ttl from frontend settings - Frontend Code (#117928)
  • ae4999c Live: select orgId or namespace based on backend capabilities (#117852)
  • b0bf200 Chore: Upgrade Grafana Faro to v2, removing web_vitals_attribution_enabled ...
  • e6eb555 fix: plugin meta call works with sub paths (#117737)
  • 16de4a6 Dashboards: Avoid using internal id from the frontend (#117398)
  • 1857131 datasources: query service: use feature-flag for per-datasource control (#117...
  • c094df2 GrafanaBootData: Deprecate config.panels (#116918)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​grafana/runtime since your current version.


Updates @grafana/ui from 10.4.19 to 12.4.2

Release notes

Sourced from @​grafana/ui's releases.

12.4.2

Download page What's new highlights

Features and enhancements

  • Analytics tab: Improve voice over accessibility (Enterprise)
  • Dashboards a11y: Do not open time zonemenu on focus #120388, @​idastambuk
  • Dashboards: Resolve display names by identity in version history #120273, @​ivanortegaalba
  • Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #120209, @​kevinwcyu
  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120457, @​mmandrus

Bug fixes

12.4.1

Download page What's new highlights

Features and enhancements

Bug fixes

  • AccessControl: Fix test utility for datasource deletion permissions cleanup (Enterprise)
  • Alerting: Change scope for testing new receivers to use supported resource type. #118495, @​yuri-tceretian
  • Alerting: Fix CollateAlertRuleGroup migration for MariaDB compatibility #119028, @​alexander-akhmetov

12.4.0

Download page What's new highlights

Features and enhancements

  • API: Add missing scope check on dashboards #116885, @​Proximyst
  • Alerting Enrichment: Add new RBAC permissions for reading and writing enrichments (Enterprise)
  • Alerting: Add Alert Rules tabs navigation with feature toggle #116253, @​aifraenkel

... (truncated)

Changelog

Sourced from @​grafana/ui's changelog.

12.4.2 (2026-03-25)

Features and enhancements

  • Analytics tab: Improve voice over accessibility (Enterprise)
  • Dashboards a11y: Do not open time zonemenu on focus #120388, @​idastambuk
  • Dashboards: Resolve display names by identity in version history #120273, @​ivanortegaalba
  • Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #120209, @​kevinwcyu
  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120457, @​mmandrus

Bug fixes

12.3.6 (2026-03-25)

Features and enhancements

  • Public Dashboards: Prevent unintended CRUD operations from different orgs #120459, @​mmandrus

Bug fixes

12.2.8 (2026-03-25)

Bug fixes

... (truncated)

Commits
  • aafb944 [release-12.4.2] Dashboards a11y: Do not open time zonemenu on focus (#120388)
  • 46b208c Release: 12.4.1 (#119861)
  • e9a93dc [release-12.4.1] A11y MenuItem: Fix voice over announce 1 of 1 for Keyboard s...
  • 4b2ad34 [release-12.4.1] A11y: Add aria-expanded to expand/collapse buttons (#119778)
  • 03e1b2a Table: Improve a11y (#118141) (#118623)
  • a7571c6 [release-12.4.1] ShareDrawer: Focus dropdown button back when drawer gets clo...
  • 34a126b [release-12.4.1] A11y: Fix Navigation and Drawer dialogs missing programatic ...
  • 70a1120 Release: Bump version to 12.4.1 (#118387)
  • 43b5c56 Table: Row selection with initialRowIndex (#117799)
  • 1bb36d7 Chore: Turn Cascader into a functional component (#117477)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​grafana/ui since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump lodash, @grafana/data, @grafana/runtime and @grafan…
6a15554 
…a/ui

Bumps [lodash](https://github.com/lodash/lodash) to 4.18.1 and updates ancestor dependencies [lodash](https://github.com/lodash/lodash), [@grafana/data](https://github.com/grafana/grafana/tree/HEAD/packages/grafana-data), [@grafana/runtime](https://github.com/grafana/grafana/tree/HEAD/packages/grafana-runtime) and [@grafana/ui](https://github.com/grafana/grafana/tree/HEAD/packages/grafana-ui). These dependencies need to be updated together.


Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `@grafana/data` from 10.4.19 to 12.4.2
- [Release notes](https://github.com/grafana/grafana/releases)
- [Changelog](https://github.com/grafana/grafana/blob/main/CHANGELOG.md)
- [Commits](https://github.com/grafana/grafana/commits/v12.4.2/packages/grafana-data)

Updates `@grafana/runtime` from 10.4.19 to 12.4.2
- [Release notes](https://github.com/grafana/grafana/releases)
- [Changelog](https://github.com/grafana/grafana/blob/main/CHANGELOG.md)
- [Commits](https://github.com/grafana/grafana/commits/v12.4.2/packages/grafana-runtime)

Updates `@grafana/ui` from 10.4.19 to 12.4.2
- [Release notes](https://github.com/grafana/grafana/releases)
- [Changelog](https://github.com/grafana/grafana/blob/main/CHANGELOG.md)
- [Commits](https://github.com/grafana/grafana/commits/v12.4.2/packages/grafana-ui)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
- dependency-name: "@grafana/data"
  dependency-version: 12.4.2
  dependency-type: direct:production
- dependency-name: "@grafana/runtime"
  dependency-version: 12.4.2
  dependency-type: direct:production
- dependency-name: "@grafana/ui"
  dependency-version: 12.4.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants