Skip to content

chore(SEC-10598): upgrade underscore to 1.13.8#39

Draft
phantom-autopilot[bot] wants to merge 1 commit intodevfrom
autopilot2/sec-10598_high-upgrade-underscore-in-github-com-phantom-synpress-to-1
Draft

chore(SEC-10598): upgrade underscore to 1.13.8#39
phantom-autopilot[bot] wants to merge 1 commit intodevfrom
autopilot2/sec-10598_high-upgrade-underscore-in-github-com-phantom-synpress-to-1

Conversation

@phantom-autopilot
Copy link
Copy Markdown

@phantom-autopilot phantom-autopilot Bot commented May 5, 2026
edited by coderabbitai Bot
Loading

Summary

  • Upgrades underscore from ^1.13.6 (resolved 1.13.7) to ^1.13.8 to address GHSA-qpx9-hpmf-5gmw / CVE-2026-27601 — unlimited recursion in _.flatten and _.isEqual (HIGH severity DoS).
  • Updates yarn.lock and pnpm-lock.yaml accordingly.
  • Adds a @phantom/synpress patch changeset.

Resolves SEC-10598.

Test plan

  • yarn install succeeds with new version pinned in yarn.lock (1.13.8).
  • node -e "require('underscore').VERSION" reports 1.13.8.
  • coderabbit review reports no findings.
  • CI on the PR is green (pre-existing lint/prettier issues on dev are out of scope).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated underscore dependency to version 1.13.8

@phantom-autopilot
chore(SEC-10598): upgrade underscore to 1.13.8
7d7fdaa 
Resolves GHSA-qpx9-hpmf-5gmw / CVE-2026-27601 — underscore <=1.13.7
allows unlimited recursion in _.flatten and _.isEqual (DoS).
@phantom-autopilot
Copy link
Copy Markdown
Author

phantom-autopilot Bot commented May 5, 2026

PR opened by agent

#39

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 5, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7558f055-5a27-481f-9717-c3a2ca52a8a5

📥 Commits

Reviewing files that changed from the base of the PR and between ff82e55 and 7d7fdaa.

⛔ Files ignored due to path filters (2)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • .changeset/sec-10598-underscore-1-13-8.md
  • package.json
📝 Walkthrough

Walkthrough

This PR upgrades the underscore dependency from 1.13.6 to 1.13.8 across @phantom/synpress to address security vulnerability GHSA-qpx9-hpmf-5gmw, documented in a new changeset entry.

Changes

Dependency Security Update

Layer / File(s) Summary
Manifest Update
package.json		 underscore version bumped from ^1.13.6 to ^1.13.8 in dependencies.
Release Metadata
.changeset/sec-10598-underscore-1-13-8.md		 New changeset entry marks @phantom/synpress as patch with security upgrade description referencing CVE GHSA-qpx9-hpmf-5gmw.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly matches the main change: upgrading underscore to 1.13.8 and is concise, clear, and specific about the primary objective.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch autopilot2/sec-10598_high-upgrade-underscore-in-github-com-phantom-synpress-to-1

Comment @coderabbitai help to get the list of available commands and usage tips.

@phantom-autopilot
Copy link
Copy Markdown
Author

phantom-autopilot Bot commented May 5, 2026

PR opened by agent

Draft PR: #39

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 5, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​underscore@​1.13.7 ⏵ 1.13.898100 +1685 +183100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phantom-autopilot