chore(deps): bump lodash from 4.17.23 to 4.18.1

[dependabot]

Bumps lodash from 4.17.23 to 4.18.1.

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectui-demo	Ready	Preview, Comment	Apr 2, 2026 3:34pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
objectui	Ignored		Apr 2, 2026 3:34pm

[github-actions]

❌ Console Performance Budget

Metric	Value	Budget
Main entry (gzip)	** KB**	KB
Entry file	``	—
Status	FAIL	—

---

📦 Bundle Size Report

Package	Size	Gzipped
auth (AuthContext.js)	0.31KB	0.24KB
auth (AuthGuard.js)	1.17KB	0.53KB
auth (AuthProvider.js)	7.37KB	1.79KB
auth (ForgotPasswordForm.js)	4.91KB	1.66KB
auth (LoginForm.js)	5.00KB	1.64KB
auth (PreviewBanner.js)	0.90KB	0.50KB
auth (RegisterForm.js)	6.85KB	1.86KB
auth (UserMenu.js)	3.40KB	1.22KB
auth (createAuthClient.js)	5.14KB	1.60KB
auth (createAuthenticatedFetch.js)	1.24KB	0.60KB
auth (index.js)	1.18KB	0.51KB
auth (types.js)	0.59KB	0.35KB
auth (useAuth.js)	1.57KB	0.57KB
collaboration (CommentThread.js)	18.38KB	4.49KB
collaboration (LiveCursors.js)	3.17KB	1.27KB
collaboration (PresenceAvatars.js)	3.65KB	1.42KB
collaboration (index.js)	1.16KB	0.50KB
collaboration (useCommentSearch.js)	1.98KB	0.88KB
collaboration (useConflictResolution.js)	7.75KB	1.86KB
collaboration (useMentionNotifications.js)	1.81KB	0.68KB
collaboration (usePresence.js)	6.33KB	1.84KB
collaboration (useRealtimeSubscription.js)	7.91KB	2.01KB
components (index.js)	1978.36KB	460.40KB
core (index.js)	1.29KB	0.51KB
create-plugin (index.js)	10.13KB	3.17KB
data-objectstack (index.js)	45.04KB	11.12KB
fields (LookupField-BMf3hBS4.js)	30.76KB	8.34KB
fields (index.js)	74.80KB	15.84KB
fields (rolldown-runtime-CAFD8bLK.js)	0.24KB	0.24KB
fields (useFieldTranslation-Bv3oUVgb.js)	0.26KB	0.21KB
i18n (i18n.js)	2.03KB	0.77KB
i18n (index.js)	1.99KB	0.79KB
i18n (provider.js)	4.63KB	1.47KB
i18n (useObjectLabel.js)	4.51KB	1.61KB
i18n (useSafeTranslation.js)	1.63KB	0.57KB
layout (index.js)	88.09KB	24.91KB
mobile (MobileProvider.js)	0.92KB	0.49KB
mobile (ResponsiveContainer.js)	0.94KB	0.38KB
mobile (breakpoints.js)	1.51KB	0.70KB
mobile (index.js)	1.19KB	0.53KB
mobile (pwa.js)	0.97KB	0.49KB
mobile (serviceWorker.js)	1.48KB	0.62KB
mobile (useBreakpoint.js)	1.54KB	0.65KB
mobile (useGesture.js)	4.42KB	1.27KB
mobile (usePullToRefresh.js)	2.53KB	0.85KB
mobile (useResponsive.js)	0.71KB	0.42KB
mobile (useResponsiveConfig.js)	1.36KB	0.63KB
mobile (useSpecGesture.js)	1.77KB	0.77KB
mobile (useTouchTarget.js)	1.01KB	0.54KB
permissions (PermissionContext.js)	0.31KB	0.25KB
permissions (PermissionGuard.js)	0.89KB	0.45KB
permissions (PermissionProvider.js)	3.11KB	0.87KB
permissions (evaluator.js)	4.00KB	1.23KB
permissions (index.js)	0.85KB	0.40KB
permissions (store.js)	0.91KB	0.42KB
permissions (useFieldPermissions.js)	1.28KB	0.52KB
permissions (usePermissions.js)	0.99KB	0.49KB
plugin-aggrid (AddressField-DKqaE9pD.js)	2.85KB	0.81KB
plugin-aggrid (AgGridImpl-Bj4QTgBN.js)	6.39KB	2.24KB
plugin-aggrid (AutoNumberField-0RU2dNKe.js)	0.43KB	0.34KB
plugin-aggrid (AvatarField-wqCg539O.js)	2.65KB	1.15KB
plugin-aggrid (BooleanField-DRzAZhSq.js)	1.23KB	0.58KB
plugin-aggrid (CodeField-RWhnDMyL.js)	0.86KB	0.53KB
plugin-aggrid (ColorField-B-YAFXdz.js)	1.26KB	0.59KB
plugin-aggrid (CurrencyField-Bu80a-sI.js)	1.52KB	0.80KB
plugin-aggrid (DateField-CV-NpLbM.js)	0.65KB	0.43KB
plugin-aggrid (DateTimeField--YTsgTjw.js)	0.82KB	0.48KB
plugin-aggrid (EmailField-B-3fWJsH.js)	0.88KB	0.53KB
plugin-aggrid (FileField-BPvzUIuL.js)	5.67KB	2.06KB
plugin-aggrid (FormulaField-MQXJZOep.js)	0.64KB	0.46KB
plugin-aggrid (GeolocationField-BHmdus6A.js)	4.10KB	1.48KB
plugin-aggrid (GridField-DHsGo9l2.js)	1.96KB	0.76KB
plugin-aggrid (ImageField-Do-iSxOD.js)	2.65KB	1.12KB
plugin-aggrid (LocationField-DSvhU9Dz.js)	1.00KB	0.59KB
plugin-aggrid (LookupField-BP4ayQG_.js)	0.08KB	0.11KB
plugin-aggrid (LookupField-DIBhVPxF.js)	33.79KB	8.95KB
plugin-aggrid (MasterDetailField-BVt_izEo.js)	3.40KB	1.14KB
plugin-aggrid (NumberField-Kz4_o5DE.js)	0.76KB	0.50KB
plugin-aggrid (ObjectAgGridImpl-dGTXgw4E.js)	726.52KB	183.35KB
plugin-aggrid (ObjectField-C1qkl6s4.js)	1.63KB	0.82KB
plugin-aggrid (PasswordField-DB_RmpIU.js)	1.88KB	0.94KB
plugin-aggrid (PercentField-Dmipqv0I.js)	1.85KB	0.88KB
plugin-aggrid (PhoneField-Dn4h6V9H.js)	0.87KB	0.54KB
plugin-aggrid (QRCodeField-C59bI7oR.js)	3.27KB	1.25KB
plugin-aggrid (RatingField-DvTgKH0C.js)	2.05KB	0.93KB
plugin-aggrid (RichTextField-CN5BRd_7.js)	1.19KB	0.63KB
plugin-aggrid (SelectField-B_N3Iiyg.js)	1.07KB	0.58KB
plugin-aggrid (SelectField-DeKIQAH-.js)	0.08KB	0.11KB
plugin-aggrid (SignatureField-DX0fBAS2.js)	3.14KB	1.29KB
plugin-aggrid (SliderField-C9IhmjbF.js)	1.11KB	0.55KB
plugin-aggrid (SummaryField-R9RENAZv.js)	0.60KB	0.45KB
plugin-aggrid (TextAreaField-BY63Nr6-.js)	1.12KB	0.64KB
plugin-aggrid (TextField-SIw8aMzf.js)	0.90KB	0.50KB
plugin-aggrid (TimeField-xxziHPjE.js)	0.61KB	0.40KB
plugin-aggrid (UrlField-Ihk3_ff5.js)	1.04KB	0.57KB
plugin-aggrid (UserField-BMaRAs-r.js)	2.62KB	0.98KB
plugin-aggrid (VectorField-Ci167cxr.js)	0.92KB	0.52KB
plugin-aggrid (createLucideIcon-73kh9fYs.js)	1.72KB	0.93KB
plugin-aggrid (image-DN4QRxZf.js)	0.36KB	0.26KB
plugin-aggrid (index.js)	10.33KB	2.43KB
plugin-aggrid (jsx-runtime-CGDkM_Jn.js)	7.83KB	2.89KB
plugin-aggrid (plus-DoGWIfjF.js)	0.19KB	0.19KB
plugin-aggrid (upload-DlNmJ3Bh.js)	0.29KB	0.23KB
plugin-aggrid (useFieldTranslation-DIV2WuYn.js)	9.53KB	3.70KB
plugin-aggrid (x-B7f4dqYS.js)	0.19KB	0.19KB
plugin-ai (index.js)	24.21KB	6.44KB
plugin-calendar (index.js)	44.95KB	12.95KB
plugin-charts (AdvancedChartImpl-B65TSHrr.js)	118.19KB	24.21KB
plugin-charts (BarChart-bK3fN6vN.js)	523.67KB	126.89KB
plugin-charts (ChartImpl-C59n6NRW.js)	3.62KB	1.16KB
plugin-charts (index.js)	12.70KB	4.07KB
plugin-charts (jsx-runtime-C8d0IhUE.js)	8.40KB	3.09KB
plugin-chatbot (index.js)	1194.20KB	340.76KB
plugin-dashboard (index.js)	158.02KB	38.69KB
plugin-designer (index.js)	244.91KB	47.93KB
plugin-detail (AddressField-BRtLqkxU.js)	2.66KB	0.79KB
plugin-detail (AutoNumberField-BRqh5FVp.js)	0.44KB	0.34KB
plugin-detail (AvatarField-Bs9e3WNr.js)	2.40KB	1.09KB
plugin-detail (BooleanField-BELX3kP6.js)	1.14KB	0.55KB
plugin-detail (CodeField-CsWDrboS.js)	0.80KB	0.50KB
plugin-detail (ColorField-Wmzi7IpX.js)	1.19KB	0.57KB
plugin-detail (CurrencyField-Bi465uvQ.js)	1.47KB	0.78KB
plugin-detail (DateField-B77FA9zA.js)	0.60KB	0.40KB
plugin-detail (DateTimeField-1aZuFKGT.js)	0.78KB	0.46KB
plugin-detail (EmailField-CBx6rKhr.js)	0.83KB	0.51KB
plugin-detail (FileField-s2H64Fp1.js)	5.12KB	1.90KB
plugin-detail (FormulaField-DrnzVrDw.js)	0.66KB	0.45KB
plugin-detail (GeolocationField-CIouFI7L.js)	3.31KB	1.23KB
plugin-detail (GridField-Ddh5qtHJ.js)	1.83KB	0.74KB
plugin-detail (ImageField-C9Dqj5R6.js)	2.45KB	1.09KB
plugin-detail (LocationField-CuTz7KtI.js)	0.97KB	0.58KB
plugin-detail (LookupField-BCDoUtaP.js)	30.31KB	8.22KB
plugin-detail (LookupField-CJSuHISD.js)	0.08KB	0.11KB
plugin-detail (MasterDetailField-VDMc_M9e.js)	2.90KB	0.99KB
plugin-detail (NumberField-ZbiWMZDA.js)	0.72KB	0.47KB
plugin-detail (ObjectField-asBMOyvN.js)	1.57KB	0.79KB
plugin-detail (PasswordField-DUvRfnu4.js)	1.13KB	0.66KB
plugin-detail (PercentField-D-rYFheO.js)	1.76KB	0.86KB
plugin-detail (PhoneField-CgCoKRYW.js)	0.82KB	0.51KB
plugin-detail (QRCodeField-CFl2Pzp2.js)	2.15KB	0.93KB
plugin-detail (RatingField-B2Bfy6GK.js)	1.56KB	0.69KB
plugin-detail (RichTextField-CChipsPR.js)	1.12KB	0.62KB
plugin-detail (SelectField-BxhSkvAI.js)	0.96KB	0.55KB
plugin-detail (SelectField-CRiNHWgS.js)	0.08KB	0.11KB
plugin-detail (SignatureField-gpScia2v.js)	2.81KB	1.15KB
plugin-detail (SliderField-DDpwvwVn.js)	1.04KB	0.53KB
plugin-detail (SummaryField-DWxVJebf.js)	0.62KB	0.45KB
plugin-detail (TextAreaField-BBfBdQxJ.js)	1.06KB	0.62KB
plugin-detail (TextField-D31GvhRe.js)	0.84KB	0.47KB
plugin-detail (TimeField-KU1v5YnK.js)	0.57KB	0.38KB
plugin-detail (UrlField-CjOMv_MR.js)	0.98KB	0.55KB
plugin-detail (UserField-BS94rVrS.js)	2.43KB	0.96KB
plugin-detail (VectorField-DdhpFkme.js)	0.92KB	0.52KB
plugin-detail (index.js)	136.92KB	30.17KB
plugin-detail (src-CUKzdQHd.js)	1958.42KB	457.28KB
plugin-detail (useFieldTranslation-CcZF66Xb.js)	0.25KB	0.20KB
plugin-editor (MonacoImpl-BMgw4JKF.js)	17.97KB	5.53KB
plugin-editor (index.js)	1.61KB	0.74KB
plugin-editor (jsx-runtime-HjdTyiyb.js)	7.63KB	2.80KB
plugin-form (index.js)	60.57KB	13.62KB
plugin-gantt (index.js)	215.57KB	52.75KB
plugin-grid (index.js)	101.99KB	27.65KB
plugin-kanban (KanbanEnhanced-BYdG4dd1.js)	30.21KB	8.94KB
plugin-kanban (KanbanImpl-C0fDmIb0.js)	13.33KB	4.08KB
plugin-kanban (chevron-down-B6UH8BbF.js)	0.15KB	0.18KB
plugin-kanban (index.js)	18.55KB	5.80KB
plugin-kanban (plus-BTqoaaEC.js)	9.31KB	3.57KB
plugin-kanban (sortable.esm-DzUCoMzQ.js)	59.36KB	17.43KB
plugin-list (index.js)	2028.55KB	472.51KB
plugin-map (chunk-vKJrgz-R.js)	1.18KB	0.67KB
plugin-map (index.js)	123.47KB	30.25KB
plugin-map (maplibre-gl-DGaRe_2d.js)	1331.16KB	296.90KB
plugin-markdown (MarkdownImpl-zSR34qzi.js)	220.69KB	53.61KB
plugin-markdown (index.js)	1.04KB	0.58KB
plugin-markdown (jsx-runtime-B1W8iDPg.js)	8.39KB	3.09KB
plugin-report (index.js)	77.40KB	16.24KB
plugin-timeline (index.js)	99.93KB	24.18KB
plugin-view (index.js)	124.17KB	33.50KB
plugin-workflow (index.js)	81.18KB	17.06KB
react (LazyPluginLoader.js)	3.77KB	1.33KB
react (SchemaRenderer.js)	9.04KB	2.82KB
react (index.js)	0.76KB	0.42KB
tenant (TenantContext.js)	0.31KB	0.25KB
tenant (TenantGuard.js)	1.04KB	0.43KB
tenant (TenantProvider.js)	2.76KB	0.98KB
tenant (TenantScopedQuery.js)	0.77KB	0.44KB
tenant (index.js)	0.75KB	0.38KB
tenant (resolver.js)	2.64KB	0.76KB
tenant (useTenant.js)	0.50KB	0.32KB
tenant (useTenantBranding.js)	0.62KB	0.39KB
types (ai.js)	0.20KB	0.17KB
types (api-types.js)	0.20KB	0.18KB
types (app.js)	2.87KB	0.99KB
types (base.js)	0.20KB	0.18KB
types (blocks.js)	0.20KB	0.18KB
types (complex.js)	0.20KB	0.18KB
types (crud.js)	0.20KB	0.18KB
types (data-display.js)	0.20KB	0.18KB
types (data-protocol.js)	0.20KB	0.19KB
types (data.js)	0.20KB	0.18KB
types (designer.js)	0.74KB	0.39KB
types (disclosure.js)	0.20KB	0.18KB
types (feedback.js)	0.20KB	0.18KB
types (field-types.js)	0.20KB	0.18KB
types (form.js)	0.20KB	0.18KB
types (index.js)	1.25KB	0.58KB
types (layout.js)	0.20KB	0.18KB
types (mobile.js)	0.20KB	0.18KB
types (navigation.js)	0.20KB	0.18KB
types (objectql.js)	0.20KB	0.18KB
types (overlay.js)	0.20KB	0.18KB
types (permissions.js)	0.20KB	0.18KB
types (plugin-scope.js)	0.20KB	0.18KB
types (record-components.js)	0.20KB	0.19KB
types (registry.js)	0.20KB	0.18KB
types (reports.js)	0.20KB	0.18KB
types (tenant.js)	0.20KB	0.18KB
types (theme.js)	0.20KB	0.18KB
types (ui-action.js)	0.20KB	0.18KB
types (views.js)	0.20KB	0.18KB
types (widget.js)	0.20KB	0.18KB
types (workflow.js)	0.20KB	0.18KB

Size Limits

• ✅ Core packages should be < 50KB gzipped
• ✅ Component packages should be < 100KB gzipped
• ⚠️ Plugin packages should be < 150KB gzipped