Fix OCPBUGS-87864: CVE-2026-4800

[germanparente]

Fix OCPBUGS-87864: CVE-2026-4800

Summary by CodeRabbit

• Chores
  • Updated a utility library dependency to a newer version, with alignment of forced version specifications.

[openshift-ci-robot]

@germanparente: This pull request references Jira Issue OCPBUGS-87864, which is invalid:

• expected Jira Issue OCPBUGS-87864 to depend on a bug targeting a version in 5.1.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Fix OCPBUGS-87864: CVE-2026-4800

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• dynamic-demo-plugin/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c95cc087-c22f-4b4c-aaad-3049eff93781

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR updates the lodash-es dependency in frontend/package.json from ^4.17.x to ^4.18.1 in both the main dependencies and resolutions fields, ensuring consistent versioning across the frontend package configuration.

Changes

Lodash-es upgrade

Layer / File(s)	Summary
Lodash-es version alignment frontend/package.json	The lodash-es dependency is bumped from ^4.17.x to ^4.18.1 in both the dependencies and resolutions fields to maintain consistency.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is entirely minimal and missing all required template sections including Analysis/Root cause, Solution description, Test setup, Test cases, and Browser conformance.	Fill in all required template sections: provide CVE analysis/root cause, explain the lodash-es version update rationale, include test setup and test cases, and check browser compatibility boxes.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix OCPBUGS-87864: CVE-2026-4800' clearly maps to the primary change: updating lodash-es dependency to address the CVE security vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies 50 Go test files, but none use the Ginkgo testing framework. All test files use Go's standard "testing" package with func Test*() functions. The custom check for Ginkgo test name...
Test Structure And Quality	✅ Passed	PR contains only a frontend/package.json dependency update for lodash-es, with no Ginkgo or test code changes. The custom check for test quality is not applicable.
Microshift Test Compatibility	✅ Passed	This PR only updates lodash-es in frontend/package.json for CVE-2026-4800 fix. It adds no Ginkgo e2e tests, so the MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates frontend/package.json dependencies (lodash-es version bump for CVE fix) with no new Ginkgo e2e tests added. The SNO test compatibility check only applies when new tests are int...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only updates frontend JavaScript dependencies (lodash-es) and introduces no deployment manifests, operator code, controllers, or scheduling constraints; the topology-aware scheduling check...
Ote Binary Stdout Contract	✅ Passed	PR only modifies frontend/package.json (lodash-es dependency update). No Go code, test files, or process-level code modified. OTE Binary Stdout Contract check is not applicable to frontend package...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies frontend/package.json (JavaScript dependency update for CVE fix). No Ginkgo e2e tests are added, so the IPv6/disconnected network compatibility check does not apply.
No-Weak-Crypto	✅ Passed	PR updates lodash-es dependency version only; no weak crypto (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB) or custom crypto implementations detected in changes.
Container-Privileges	✅ Passed	PR modifies only frontend/package.json to update a dependency version. No K8s manifests, Dockerfiles, or container security configurations are changed; container-privileges check is not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements exposing passwords, tokens, API keys, PII, session IDs, hostnames, or customer data were found in this PR's changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@germanparente: This pull request references Jira Issue OCPBUGS-87864, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Fix OCPBUGS-87864: CVE-2026-4800

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@germanparente: This pull request references Jira Issue OCPBUGS-87864, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Fix OCPBUGS-87864: CVE-2026-4800

Summary by CodeRabbit

• Chores
• Updated a utility library dependency to a newer version, with alignment of forced version specifications.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/package.json`:
- Line 201: Replace the caret-ranged lodash-es dependency with an exact pinned
version: change the dependency entry for "lodash-es" from "^4.18.1" to "4.18.1"
and make the same change in any other occurrences (e.g., resolutions block where
"lodash-es" is referenced) so all package.json entries are exact; after editing,
regenerate the lockfile (npm or yarn) to ensure deterministic installs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dae64a76-b2fc-4598-ac94-f56ad9115203

📥 Commits

Reviewing files that changed from the base of the PR and between 534d254 and b44a857.

⛔ Files ignored due to path filters (1)

• frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• frontend/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Pin exact version instead of using caret range.

The coding guidelines require exact version pinning for supply chain security. Using ^4.18.1 allows any version from 4.18.1 up to (but not including) 5.0.0, which can introduce unintended updates. For security patches like this CVE fix, deterministic builds are critical.

As per coding guidelines, dependencies should use exact versions to ensure reproducible, secure builds.

🔒 Proposed fix to use exact version pinning

-    "lodash-es": "^4.18.1",
+    "lodash-es": "4.18.1",

And in resolutions:

-    "lodash-es": "^4.18.1",
+    "lodash-es": "4.18.1",

Also applies to: 329-329

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/package.json` at line 201, Replace the caret-ranged lodash-es
dependency with an exact pinned version: change the dependency entry for
"lodash-es" from "^4.18.1" to "4.18.1" and make the same change in any other
occurrences (e.g., resolutions block where "lodash-es" is referenced) so all
package.json entries are exact; after editing, regenerate the lockfile (npm or
yarn) to ensure deterministic installs.

Source: Coding guidelines

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: germanparente
Once this PR has been reviewed and has the lgtm label, please assign jhadvig for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• dynamic-demo-plugin/OWNERS
• frontend/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[germanparente]

/test e2e-playwright

[openshift-ci]

@germanparente: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-playwright	de5e472	link	false	/test e2e-playwright

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.