24391951277
94%

Ran 14 Apr 2026 09:39AM UTC

Jobs 0

Files 0

Run time –

Badge

Embed ▾

pending completion

Build # 24391951277

Build Type

push

github

Committed by

web-flow

Commit Message

fix(security): bump lodash from ~4.17.23 to ~4.18.0 (#833)

* fix(security): bump lodash from ~4.17.23 to ^4.18.0

lodash ~4.17.23 is affected by two security vulnerabilities patched
in 4.18.0:

- Code injection via _.template imports key names (bypass of the
  CVE-2021-23337 fix — untrusted imports key names flow into the
  same Function() sink as the variable option)

- Prototype pollution via array path bypass in _.unset / _.omit
  (array-wrapped segments bypass the string-only guard introduced
  in CVE-2025-13465)

Widen the range to ^4.18.0 in @metascraper/helpers, metascraper-iframe,
and metascraper-logo so consumers can resolve to the patched version
without resorting to overrides/resolutions.

Closes #832

* Update package.json

* Update package.json

* Update package.json

* test(helpers): replace brittle snapshot with targeted assertions

The load-iframe 'markup is correct' test was snapshotting the entire
HTML from a live third-party URL, causing frequent failures whenever
Transistor updated their player markup or asset hashes.

Replace the snapshot with structural assertions that verify the iframe
loads correctly without being coupled to third-party markup details.

---------

Co-authored-by: Jose Francisco 'Kiko' Verdú Gambín <josefrancisco.verdu@gmail.com>

Coverage Stats

Source Files on build 24391951277

Detailed source file information is not available for this build.

microlinkhq / metascraper / 24391951277
94%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on build 24391951277

microlinkhq / metascraper / 24391951277 94%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on build 24391951277

microlinkhq / metascraper / 24391951277
94%

README BADGES
x