OCPBUGS-87864: CVE-2026-4800

[germanparente]

Fix OCPBUGS-87864: CVE-2026-4800

Summary by CodeRabbit

• Chores
  • Updated a utility library dependency to a newer version, with alignment of forced version specifications.

[openshift-ci-robot]

@germanparente: This pull request references Jira Issue OCPBUGS-87864, which is invalid:

• expected Jira Issue OCPBUGS-87864 to depend on a bug targeting a version in 5.1.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Fix OCPBUGS-87864: CVE-2026-4800

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates the lodash-es dependency in frontend/package.json from ^4.17.x to ^4.18.1 in both the main dependencies and resolutions fields, ensuring consistent versioning across the frontend package configuration.

Changes

Lodash-es upgrade

Layer / File(s)	Summary
Lodash-es version alignment frontend/package.json	The lodash-es dependency is bumped from ^4.17.x to ^4.18.1 in both the dependencies and resolutions fields to maintain consistency.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is entirely minimal and missing all required template sections including Analysis/Root cause, Solution description, Test setup, Test cases, and Browser conformance.	Fill in all required template sections: provide CVE analysis/root cause, explain the lodash-es version update rationale, include test setup and test cases, and check browser compatibility boxes.
Title check	❓ Inconclusive	The title references a CVE security issue (OCPBUGS-87864: CVE-2026-4800) but the actual code change only updates a lodash-es dependency version, with no clear connection established between the CVE and the specific dependency update.	Clarify how the lodash-es dependency version update (^4.17.21 to ^4.18.1) addresses CVE-2026-4800, or provide more specific details about the vulnerability fix in the title.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies 50 Go test files, but none use the Ginkgo testing framework. All test files use Go's standard "testing" package with func Test*() functions. The custom check for Ginkgo test name...
Test Structure And Quality	✅ Passed	PR contains only a frontend/package.json dependency update for lodash-es, with no Ginkgo or test code changes. The custom check for test quality is not applicable.
Microshift Test Compatibility	✅ Passed	This PR only updates lodash-es in frontend/package.json for CVE-2026-4800 fix. It adds no Ginkgo e2e tests, so the MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates frontend/package.json dependencies (lodash-es version bump for CVE fix) with no new Ginkgo e2e tests added. The SNO test compatibility check only applies when new tests are int...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only updates frontend JavaScript dependencies (lodash-es) and introduces no deployment manifests, operator code, controllers, or scheduling constraints; the topology-aware scheduling check...
Ote Binary Stdout Contract	✅ Passed	PR only modifies frontend/package.json (lodash-es dependency update). No Go code, test files, or process-level code modified. OTE Binary Stdout Contract check is not applicable to frontend package...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies frontend/package.json (JavaScript dependency update for CVE fix). No Ginkgo e2e tests are added, so the IPv6/disconnected network compatibility check does not apply.
No-Weak-Crypto	✅ Passed	PR updates lodash-es dependency version only; no weak crypto (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB) or custom crypto implementations detected in changes.
Container-Privileges	✅ Passed	PR modifies only frontend/package.json to update a dependency version. No K8s manifests, Dockerfiles, or container security configurations are changed; container-privileges check is not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements exposing passwords, tokens, API keys, PII, session IDs, hostnames, or customer data were found in this PR's changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@germanparente: This pull request references Jira Issue OCPBUGS-87864, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Fix OCPBUGS-87864: CVE-2026-4800

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@germanparente: This pull request references Jira Issue OCPBUGS-87864, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Fix OCPBUGS-87864: CVE-2026-4800

Summary by CodeRabbit

• Chores
• Updated a utility library dependency to a newer version, with alignment of forced version specifications.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/package.json`:
- Line 201: Replace the caret-ranged lodash-es dependency with an exact pinned
version: change the dependency entry for "lodash-es" from "^4.18.1" to "4.18.1"
and make the same change in any other occurrences (e.g., resolutions block where
"lodash-es" is referenced) so all package.json entries are exact; after editing,
regenerate the lockfile (npm or yarn) to ensure deterministic installs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dae64a76-b2fc-4598-ac94-f56ad9115203

📥 Commits

Reviewing files that changed from the base of the PR and between 534d254 and b44a857.

⛔ Files ignored due to path filters (1)

• frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• frontend/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Pin exact version instead of using caret range.

The coding guidelines require exact version pinning for supply chain security. Using ^4.18.1 allows any version from 4.18.1 up to (but not including) 5.0.0, which can introduce unintended updates. For security patches like this CVE fix, deterministic builds are critical.

As per coding guidelines, dependencies should use exact versions to ensure reproducible, secure builds.

🔒 Proposed fix to use exact version pinning

-    "lodash-es": "^4.18.1",
+    "lodash-es": "4.18.1",

And in resolutions:

-    "lodash-es": "^4.18.1",
+    "lodash-es": "4.18.1",

Also applies to: 329-329

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/package.json` at line 201, Replace the caret-ranged lodash-es
dependency with an exact pinned version: change the dependency entry for
"lodash-es" from "^4.18.1" to "4.18.1" and make the same change in any other
occurrences (e.g., resolutions block where "lodash-es" is referenced) so all
package.json entries are exact; after editing, regenerate the lockfile (npm or
yarn) to ensure deterministic installs.

Source: Coding guidelines

[germanparente]

/test e2e-playwright

[jhadvig]

/retest

[jhadvig]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: germanparente, jhadvig

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• dynamic-demo-plugin/OWNERS [jhadvig]
• frontend/OWNERS [jhadvig]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[germanparente]

Since all the tests have been passed, I will set this to verified:

/verifyed by @germanparente

[germanparente]

/verifyed-by @germanparente

[germanparente]

right label this time:

/verified by @germanparente

Since all the tests have been successful

[openshift-ci-robot]

@germanparente: This PR has been marked as verified by @germanparente.

Details

In response to this:

right label this time:

/verified by @germanparente

Since all the tests have been successful

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@germanparente: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@germanparente: An error was encountered invalid pull identifier with 2 parts: "advisories/GHSA-35jh-r3h4-6jhm" for bug OCPBUGS-87864 on the Jira server at https://redhat.atlassian.net. No known errors were detected, please see the full error message for details.

Full error message.

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.Jira Issue Verification Checks: Jira Issue OCPBUGS-87864
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-87864 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Fix OCPBUGS-87864: CVE-2026-4800

Summary by CodeRabbit

• Chores
• Updated a utility library dependency to a newer version, with alignment of forced version specifications.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.