Bump lodash and pa11y-ci

[dependabot]

Bumps lodash to 4.18.1 and updates ancestor dependency pa11y-ci. These dependencies need to be updated together.

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates pa11y-ci from 2.4.2 to 4.1.1

Release notes

Sourced from pa11y-ci's releases.

v4.1.1

Pa11y CI 4.1.1 updates the lodash dependency to ~4.18.1 to resolve GHSA-f23m-r3pf-42r / CVE-2026-2950.

v4.1.0

What's changed

• Add support for config files with the .cjs extension
• Improve documentation for sitemap-exclude
• Improve npm keywords for better discoverability
• Replace nyc with c8 for test coverage
• Replace mockery with quibble for mocking
• Upgrade dependencies to recent versions matching pa11y's to ensure deduplication works well

New Contributors

• @​Maxzolythus made their first contribution in pa11y/pa11y-ci#306

Full Changelog: pa11y/pa11y-ci@4.0.1...4.1.0

v4.0.1

Pa11y CI 4.0.1 reintroduces compatibility for node >=20.0.0 <20.18.1.

(At the time of writing, v20.19.4 is the latest version of node 20.)

Pa11y CI 4.0.0 updated the cheerio dependency to 1.1.2. But this causes EBADENGINE warnings when installing if node <20.18.1. We target compatibility with node >20, which after some discussion we think should mean >20.0.0.

Full Changelog: pa11y/pa11y-ci@4.0.0...4.0.1

v4.0.0

Pa11y CI 4.0.0 requires a stable (even-numbered) Node.js version of 20 or above, updates to the latest version of Pa11y (9) and Puppeteer (24), updates several other dependencies, and includes some GitHub actions and documentation cleanup. See the migration guide for details.

Changes

• Breaking: Upgrade Node.js support: Pa11y CI 4 requires a stable (even-numbered) Node.js version of 20 or above, dropping support for Node 12, 14, 16, 18.
• Breaking: Upgrade pa11y to 9 (from 6), which updates numerous dependencies, fixes issues with Pa11y CI failing to run on Ubuntu 24.04, and resolves several vulnerabilities and deprecated packages (closing #198, #227, #242, #247).
  • Upgrade puppeteer to 24 (from 9.1), which updates to the current Chrome. This changes Chrome's default headless mode, see the migration guide for details. Also expand the puppeteer dependency compatibility to caret (patch and minor releases) to allow upgrades to a more recent compatible version upon install (which frequently contains Chrome updates and security patches).
  • Upgrade axe-core to 4.10 from 4.2. This includes rule fixes that may change results when using the axe runner. See axe-core releases for complete details.
  • Upgrade semver to 7.7 from 7.3, resolving CVE-2022-25883.
• Fixed issue with pa11y-ci process hanging if browser passed from config file. (#248)
• Other dependency upgrades: commander to 14.0, async to 3.2, cheerio to 1.1, and node-fetch to 2.7.
• GitHub Actions changes: Update workflows for supported Node version, Ubuntu 24.04 compatibility, and publishing package with provenance.
• Other changes: Refactor code and tests for dependency compatibility, update support table and fix some links in the README.

See the migration guide for details.

Full changelog

3.1.0...4.0.0

... (truncated)

Changelog

Sourced from pa11y-ci's changelog.

4.1.1 (2026-05-11)

Pa11y CI 4.1.1 updates the lodash dependency to ~4.18.1 to resolve GHSA-f23m-r3pf-42r / CVE-2026-2950.

4.1.0 (2026-03-02)

• Add support for config files with the .cjs extension
• Improve documentation for sitemap-exclude
• Improve npm keywords for better discoverability
• Replace nyc with c8 for test coverage
• Replace mockery with quibble for mocking
• Upgrade dependencies to recent versions matching pa11y's to ensure deduplication works well

New Contributors

• @​Maxzolythus made their first contribution in pa11y/pa11y-ci#306

Full Changelog: pa11y/pa11y-ci@4.0.1...4.1.0

4.0.1 (2025-08-15)

Pa11y CI 4.0.1 reintroduces compatibility for node >=20.0.0 <20.18.1. (At the time of writing, v20.19.4 is the latest version of node 20.)

Pa11y CI 4.0.0 updated the cheerio dependency to 1.1.2. But this causes EBADENGINE warnings when installing, if node <20.18.1. We target compatibility with node >=20, which after some discussion we think should mean >=20.0.0.

Full changelog

4.0.0...4.0.1

4.0.0 (2025-07-22)

Pa11y CI 4.0.0 requires a stable (even-numbered) Node.js version of 20 or above, updates to the latest version of Pa11y (9) and Puppeteer (24), updates several other dependencies, and includes some GitHub actions and documentation cleanup. See the migration guide for details.

Changes

• Breaking: Upgrade Node.js support: Pa11y CI 4 requires a stable (even-numbered) Node.js version of 20 or above, dropping support for Node 12, 14, 16, 18.
• Breaking: Upgrade pa11y to 9 (from 6), which updates numerous dependencies, fixes issues with Pa11y CI failing to run on Ubuntu 24.04, and resolves several vulnerabilities and deprecated packages (closing #198, #227, #242, #247).
  • Upgrade puppeteer to 24 (from 9.1), which updates to the current Chrome. This changes Chrome's default headless mode, see the migration guide for details. Also expand the puppeteer dependency compatibility to caret (patch and minor releases) to allow upgrades to a more recent compatible version upon install (which frequently contains Chrome updates and security patches).
  • Upgrade axe-core to 4.10 from 4.2. This includes rule fixes that may change results when using the axe runner. See axe-core releases for complete details.
  • Upgrade semver to 7.7 from 7.3, resolving CVE-2022-25883.
• Fixed issue with pa11y-ci process hanging if browser passed from config file. (#248)
• Other dependency upgrades: commander to 14.0, async to 3.2, cheerio to 1.1, and node-fetch to 2.7.
• GitHub Actions changes: Update workflows for supported Node version, Ubuntu 24.04 compatibility, and publishing package with provenance.
• Other changes: Refactor code and tests for dependency compatibility, update support table and fix some links in the README.

See the migration guide for details.

Full changelog

3.1.0...4.0.0

... (truncated)

Commits

• db62475 Update documentation for v4.1.1 (#335)
• c7218ba Bump puppeteer from 24.37.5 to 24.43.0 (#330)
• 6f561e3 Bump ip-address from 10.1.0 to 10.2.0 (#331)
• 9491bc8 Bump basic-ftp from 5.2.0 to 5.3.1 (#332)
• 08eedc5 Bump undici from 6.23.0 to 6.25.0 (#334)
• 30a9ea1 Bump lodash from 4.17.23 to 4.18.1 (#324)
• d179c28 Making .gitignore consistent between repos
• 760234a Version 4.1.0
• 3e514db Forcefully bump deps for 4.1.0
• 53ddd50 Replace nyc with c8 for test coverage info
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for pa11y-ci since your current version.