VULN UPGRADE: minor upgrades — 9 packages (minor: 3 · patch: 6) [php/Laravel57] by campaigner-prod[bot] · Pull Request #164 · DataDog/trace-examples

campaigner-prod · 2026-03-05T17:05:03Z

Summary: Critical-severity security update — 9 packages upgraded (MINOR changes included)

Manifests changed:

php/Laravel57 (npm)

Updates

Package	From	To	Type	Vulnerabilities Fixed
lodash	4.17.5	4.17.23	patch	2 CRITICAL, 6 HIGH, 6 MODERATE
jquery	3.2	3.7.1	minor	1 HIGH, 7 MODERATE
bootstrap	4.0.0	4.6.2	minor	8 MODERATE
sass-loader	7.1.0	7.3.1	minor	-
cross-env	5.1	5.1.6	patch	-
popper.js	1.12	1.12.9	patch	-
resolve-url-loader	2.3.1	2.3.2	patch	-
sass	1.15.2	1.15.3	patch	-
vue	2.5.17	2.5.22	patch	1 LOW

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (9 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
lodash	CVE-2019-10744	CRITICAL	-	4.17.5	-
lodash	GHSA-jf85-cpcp-j695	CRITICAL	Prototype Pollution in lodash	4.17.5	4.17.12
jquery	CVE-2020-11023	high	This package is related to CVE CVE-2020-11023 which was detected by cisa.gov as actively being exploited in the wild	3.2	-
lodash	CVE-2018-16487	HIGH	-	4.17.5	-
lodash	GHSA-4xc9-xhrj-v574	HIGH	Prototype Pollution in lodash	4.17.5	4.17.11
lodash	CVE-2020-8203	HIGH	-	4.17.5	-
lodash	GHSA-p6mc-m468-83gw	HIGH	Prototype Pollution in lodash	4.17.5	4.17.19
lodash	CVE-2021-23337	HIGH	-	4.17.5	-
lodash	GHSA-35jh-r3h4-6jhm	HIGH	Command Injection in lodash	4.17.5	4.17.21

ℹ️ Other Vulnerabilities (22)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
bootstrap	CVE-2019-8331	MODERATE	-	4.0.0	-
bootstrap	CVE-2018-14041	MODERATE	-	4.0.0	-
bootstrap	GHSA-7mvr-5x2g-wfc8	MODERATE	Bootstrap Cross-site Scripting vulnerability	4.0.0	4.1.2
bootstrap	CVE-2018-14042	MODERATE	-	4.0.0	-
bootstrap	GHSA-3wqf-4x89-9g79	MODERATE	Bootstrap vulnerable to Cross-Site Scripting (XSS)	4.0.0	4.1.2
bootstrap	CVE-2018-14040	MODERATE	-	4.0.0	-
bootstrap	GHSA-9v3m-8fp8-mj99	MODERATE	Bootstrap Vulnerable to Cross-Site Scripting	4.0.0	4.3.1
bootstrap	GHSA-pj7m-g53m-7638	MODERATE	Bootstrap Cross-site Scripting vulnerability	4.0.0	4.1.2
jquery	DRUPAL-CORE-2019-006	MODERATE	-	3.2	-
jquery	GHSA-gxr4-xjj5-5px2	MODERATE	Potential XSS vulnerability in jQuery	3.2	3.5.0
jquery	CVE-2019-11358	MODERATE	-	3.2	-
jquery	CVE-2020-11022	MODERATE	-	3.2	-
jquery	CVE-2020-11023	MODERATE	-	3.2	-
jquery	GHSA-jpcq-cgw6-v4j6	MODERATE	Potential XSS vulnerability in jQuery	3.2	3.5.0
jquery	GHSA-6c3j-c64m-qhgq	MODERATE	XSS in jQuery as used in Drupal, Backdrop CMS, and other products	3.2	3.4.0
lodash	CVE-2020-28500	MODERATE	-	4.17.5	-
lodash	CVE-2019-1010266	MODERATE	-	4.17.5	-
lodash	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions	4.17.5	4.17.23
lodash	CVE-2025-13465	MODERATE	-	4.17.5	-
lodash	GHSA-29mw-wpgm-hmr9	MODERATE	Regular Expression Denial of Service (ReDoS) in lodash	4.17.5	4.17.21
lodash	GHSA-x5rq-j2xg-h7qm	MODERATE	Regular Expression Denial of Service (ReDoS) in lodash	4.17.5	4.17.11
vue	GHSA-5j4c-8p2g-v4jx	LOW	ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function	2.5.17	3.0.0-alpha.0

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Executing automated changes

04689c3

campaigner-prod bot added campaigner-automated-change adms-critical-severity adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-npm adms-dependency-update labels Mar 5, 2026

campaigner-prod bot marked this pull request as ready for review March 11, 2026 22:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VULN UPGRADE: minor upgrades — 9 packages (minor: 3 · patch: 6) [php/Laravel57]#164

VULN UPGRADE: minor upgrades — 9 packages (minor: 3 · patch: 6) [php/Laravel57]#164
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/npm/Laravel57/0-1772730296

campaigner-prod bot commented Mar 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

campaigner-prod bot commented Mar 5, 2026

Updates

Security Details

Review Checklist

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants