[Snyk] Security upgrade lodash from 4.17.5 to 4.18.1

[jpalomar]

Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• packages/dnd-core/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Arbitrary Code Injection SNYK-JS-LODASH-15869625	243
	Prototype Pollution SNYK-JS-LODASH-15869619	117

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Arbitrary Code Injection

[jpalomar]

This minor version upgrade of lodash includes security patches and bug fixes. While generally safe, version 4.18.0 introduces a behavioral change that warrants a medium risk assessment.

Potential Breaking Change:

• A security fix for prototype pollution in _.unset and _.omit alters their behavior. For paths that previously could lead to prototype pollution, the functions will now return false and not modify the object, whereas they might have returned true and deleted the property before. Applications relying on the old (and unsafe) behavior for specific edge cases could be affected.

Other Changes:

• Version 4.18.0 also fixes a code injection vulnerability in _.template.
• Version 4.18.1 corrects build-related bugs introduced in 4.18.0.

Recommendation:
This upgrade is primarily for security. Verify application behavior if you make extensive use of _.unset or _.omit with dynamically generated paths.

Source: GitHub Releases

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.