lodash update #2524

Merged

mfreeman451 merged 1 commit from refs/pull/2524/head into main

2025-12-08 05:13:37 +00:00

mfreeman451 commented

2025-12-08 05:09:10 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2080
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2080
Original created: 2025-12-08T05:09:10Z
Original updated: 2025-12-08T05:13:40Z
Original head: carverauto/serviceradar:chore/update_lodash
Original base: main
Original merged: 2025-12-08T05:13:37Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Dependencies

Description

Replace lodash.set package with native lodash import
Update import statement to use lodash/set subpath
Remove lodash.set dependency from package.json
Clean up Bazel build configuration and type definitions

Diagram Walkthrough

flowchart LR
  A["lodash.set package"] -->|"removed"| B["lodash/set subpath"]
  C["package.json"] -->|"dependency removed"| D["lodash only"]
  E["BUILD.bazel"] -->|"config simplified"| F["single lodash reference"]

File Walkthrough

Relevant files

Dependencies

safeSet.ts `Update lodash import to use subpath` web/src/lib/safeSet.ts Changed import from `lodash.set` to `lodash/set` subpath Maintains same functionality with consolidated dependency	+1/-1
package.json `Remove lodash.set package dependencies` web/package.json Removed `lodash.set` dependency (^4.3.2) Removed `@types/lodash.set` dev dependency (^4.3.9) Lodash main package remains as primary dependency	+0/-2
pnpm-lock.yaml `Update pnpm lock file for removed dependencies` web/pnpm-lock.yaml Removed `lodash.set` entry from dependencies (version 4.3.2) Removed `@types/lodash.set` entry from devDependencies (version 4.3.9) Removed corresponding package resolution entries Updated lock file snapshots to reflect changes	+0/-18

Configuration changes

MODULE.bazel `Remove lodash.set from Bazel module config` MODULE.bazel Removed `npm__lodash.set__4.3.2__links` from use_repo call Kept `npm__lodash__4.17.21__links` reference	+0/-1
BUILD.bazel `Remove lodash.set from Bazel build targets` web/BUILD.bazel Removed load statement for `@npm__lodash.set__4.3.2__links` Removed `npm_link_lodash_set_store` function call Removed `:node_modules/lodash.set` from js_binary and nextjs_standalone_build deps Kept lodash main package references intact	+0/-11

Imported from GitHub pull request. Original GitHub pull request: #2080 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2080 Original created: 2025-12-08T05:09:10Z Original updated: 2025-12-08T05:13:40Z Original head: carverauto/serviceradar:chore/update_lodash Original base: main Original merged: 2025-12-08T05:13:37Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Dependencies ___ ### **Description** - Replace `lodash.set` package with native lodash import - Update import statement to use `lodash/set` subpath - Remove `lodash.set` dependency from package.json - Clean up Bazel build configuration and type definitions ___ ### Diagram Walkthrough ```mermaid flowchart LR A["lodash.set package"] -->|"removed"| B["lodash/set subpath"] C["package.json"] -->|"dependency removed"| D["lodash only"] E["BUILD.bazel"] -->|"config simplified"| F["single lodash reference"] ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Dependencies</strong></td><td><table> <tr> <td> <details> <summary><strong>safeSet.ts</strong><dd><code>Update lodash import to use subpath</code>                                            </dd></summary> <hr> web/src/lib/safeSet.ts <ul><li>Changed import from <code>lodash.set</code> to <code>lodash/set</code> subpath<br> <li> Maintains same functionality with consolidated dependency</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2080/files#diff-f73951146720755e34de95e03a20f4d872c00585f51e08ab62090598bf185fba">+1/-1</a>      </td> </tr> <tr> <td> <details> <summary><strong>package.json</strong><dd><code>Remove lodash.set package dependencies</code>                                      </dd></summary> <hr> web/package.json <ul><li>Removed <code>lodash.set</code> dependency (^4.3.2)<br> <li> Removed <code>@types/lodash.set</code> dev dependency (^4.3.9)<br> <li> Lodash main package remains as primary dependency</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2080/files#diff-b861012a5dd72b8a9f3281b7cf09f5a779c98569d040b1bbc1db50f1b15e7cce">+0/-2</a>      </td> </tr> <tr> <td> <details> <summary><strong>pnpm-lock.yaml</strong><dd><code>Update pnpm lock file for removed dependencies</code>                      </dd></summary> <hr> web/pnpm-lock.yaml <ul><li>Removed <code>lodash.set</code> entry from dependencies (version 4.3.2)<br> <li> Removed <code>@types/lodash.set</code> entry from devDependencies (version 4.3.9)<br> <li> Removed corresponding package resolution entries<br> <li> Updated lock file snapshots to reflect changes</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2080/files#diff-f11bfba22b3604b3a7b52e44e10f4eae265b030b5682714833ba689eda12a27b">+0/-18</a>    </td> </tr> </table></td></tr><tr><td><strong>Configuration changes</strong></td><td><table> <tr> <td> <details> <summary><strong>MODULE.bazel</strong><dd><code>Remove lodash.set from Bazel module config</code>                              </dd></summary> <hr> MODULE.bazel <ul><li>Removed <code>npm__lodash.set__4.3.2__links</code> from use_repo call<br> <li> Kept <code>npm__lodash__4.17.21__links</code> reference</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2080/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdc">+0/-1</a>      </td> </tr> <tr> <td> <details> <summary><strong>BUILD.bazel</strong><dd><code>Remove lodash.set from Bazel build targets</code>                              </dd></summary> <hr> web/BUILD.bazel <ul><li>Removed load statement for <code>@npm__lodash.set__4.3.2__links</code><br> <li> Removed <code>npm_link_lodash_set_store</code> function call<br> <li> Removed <code>:node_modules/lodash.set</code> from js_binary and <br>nextjs_standalone_build deps<br> <li> Kept lodash main package references intact</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2080/files#diff-1d59088f07bd1569a5a928ec3d13f6a85f7277c23483e5b7fa05a12d5fcaa394">+0/-11</a>    </td> </tr> </table></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-12-08 05:09:44 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2080#issuecomment-3624881339
Original created: 2025-12-08T05:09:44Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No auditing: The new import change does not add or affect any logging of critical actions, and there is no evidence in the diff that critical actions are audited. Referred Code `import set from 'lodash/set'; // Centralized guards against prototype pollution when performing deep property sets. const dangerousKeys = ['__proto__', 'constructor', 'prototype'] as const;` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error handling: The change only updates an import and does not demonstrate handling of potential failures when performing deep property sets or dependency resolution. Referred Code `import set from 'lodash/set'; // Centralized guards against prototype pollution when performing deep property sets. const dangerousKeys = ['__proto__', 'constructor', 'prototype'] as const;` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Input validation unclear: While the file comment mentions guards against prototype pollution, the diff only changes the import and does not show validation or sanitization logic for inputs being set. Referred Code `import set from 'lodash/set'; // Centralized guards against prototype pollution when performing deep property sets. const dangerousKeys = ['__proto__', 'constructor', 'prototype'] as const;` Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2080#issuecomment-3624881339 Original created: 2025-12-08T05:09:44Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td>🟢</td><td><details><summary><strong>No security concerns identified</strong></summary> No security vulnerabilities detected by AI analysis. Human verification advised for critical code. </details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </strong></summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td rowspan=3>🟢</td><td> <details><summary><strong>Generic: Meaningful Naming and Self-Documenting Code</strong></summary><br> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code <br>self-documenting<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Error Handling</strong></summary><br> **Objective:** To prevent the leakage of sensitive system information through error messages while <br>providing sufficient detail for internal debugging.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Logging Practices</strong></summary><br> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive <br>information like PII, PHI, or cardholder data.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=3>⚪</td> <td><details> <summary><strong>Generic: Comprehensive Audit Trails</strong></summary><br> **Objective:** To create a detailed and reliable record of critical system actions for security analysis <br>and compliance.<br> **Status:** <br><a href='https://github.com/carverauto/serviceradar/pull/2080/files#diff-f73951146720755e34de95e03a20f4d872c00585f51e08ab62090598bf185fbaR1-R5'><strong>No auditing</strong></a>: The new import change does not add or affect any logging of critical actions, and there is <br>no evidence in the diff that critical actions are audited.<br> <details open><summary>Referred Code</summary> ```typescript import set from 'lodash/set'; // Centralized guards against prototype pollution when performing deep property sets. const dangerousKeys = ['__proto__', 'constructor', 'prototype'] as const; ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary><strong>Generic: Robust Error Handling and Edge Case Management</strong></summary><br> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful <br>degradation<br> **Status:** <br><a href='https://github.com/carverauto/serviceradar/pull/2080/files#diff-f73951146720755e34de95e03a20f4d872c00585f51e08ab62090598bf185fbaR1-R5'><strong>No error handling</strong></a>: The change only updates an import and does not demonstrate handling of potential failures <br>when performing deep property sets or dependency resolution.<br> <details open><summary>Referred Code</summary> ```typescript import set from 'lodash/set'; // Centralized guards against prototype pollution when performing deep property sets. const dangerousKeys = ['__proto__', 'constructor', 'prototype'] as const; ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary><strong>Generic: Security-First Input Validation and Data Handling</strong></summary><br> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent <br>vulnerabilities<br> **Status:** <br><a href='https://github.com/carverauto/serviceradar/pull/2080/files#diff-f73951146720755e34de95e03a20f4d872c00585f51e08ab62090598bf185fbaR1-R5'><strong>Input validation unclear</strong></a>: While the file comment mentions guards against prototype pollution, the diff only changes <br>the import and does not show validation or sanitization logic for inputs being set.<br> <details open><summary>Referred Code</summary> ```typescript import set from 'lodash/set'; // Centralized guards against prototype pollution when performing deep property sets. const dangerousKeys = ['__proto__', 'constructor', 'prototype'] as const; ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-12-08 05:10:43 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2080#issuecomment-3624889533
Original created: 2025-12-08T05:10:43Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Fix prototype pollution vulnerability Fix a prototype pollution vulnerability in the `containsDangerousKey` function by improving the string path parsing logic to correctly handle non-numeric property access within brackets. web/src/lib/safeSet.ts [13-20] `function containsDangerousKey(path: string \| (string \| number)[]): boolean { const keys = Array.isArray(path) ? path.map(String) - : path.replace(/\[(\d+)\]/g, '.$1').split('.'); + : path.replace(/\[/g, '.').replace(/\]/g, '').split('.'); return keys.some(isDangerousKey); }` `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical prototype pollution vulnerability in the `containsDangerousKey` function and provides a valid fix. This is a high-impact security issue that the PR should address.	High
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2080#issuecomment-3624889533 Original created: 2025-12-08T05:10:43Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>Security</td> <td> <details><summary>Fix prototype pollution vulnerability</summary> ___ **Fix a prototype pollution vulnerability in the <code>containsDangerousKey</code> function by <br>improving the string path parsing logic to correctly handle non-numeric property <br>access within brackets.** [web/src/lib/safeSet.ts [13-20]](https://github.com/carverauto/serviceradar/pull/2080/files#diff-f73951146720755e34de95e03a20f4d872c00585f51e08ab62090598bf185fbaR13-R20) ```diff function containsDangerousKey(path: string | (string | number)[]): boolean { const keys = Array.isArray(path) ? path.map(String) - : path.replace(/\[(\d+)\]/g, '.$1').split('.'); + : path.replace(/\[/g, '.').replace(/\]/g, '').split('.'); return keys.some(isDangerousKey); } ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 10</summary> __ Why: The suggestion correctly identifies a critical prototype pollution vulnerability in the `containsDangerousKey` function and provides a valid fix. This is a high-impact security issue that the PR should address. </details></details></td><td align=center>High </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>