[Snyk] Security upgrade lodash-es from 4.17.21 to 4.17.23

[bijupki]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• packages/ui/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-LODASHES-15053836	631

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[segrem25830-pki]

Checkmarx One – Scan Summary & Details – 4de2f22b-8f8b-4fd4-968f-b912743f1b35

New Issues (8)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-23950	Npm-tar-6.2.1	details Recommended version: 7.5.3 Description: node-tar,a Tar for Node.js, has a race condition vulnerability in versions through 7.5.3. This is due to an incomplete handling of Unicode path col... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-24842	Npm-tar-6.2.1	details Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2025-13465	Npm-lodash-es-4.17.21	details Recommended version: 4.17.23 Description: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetand _.omitfunctions. An attacker can pass crafted paths w... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2025-13465	Npm-lodash-4.17.15	details Description: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetand _.omitfunctions. An attacker can pass crafted paths w... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2025-13465	Npm-lodash-4.17.21	details Description: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetand _.omitfunctions. An attacker can pass crafted paths w... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2025-13465	Npm-lodash-4.17.23	details Description: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetand _.omitfunctions. An attacker can pass crafted paths w... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-24001	Npm-diff-4.0.2	details Recommended version: 4.0.3 Description: jsdiff is a JavaScript text differencing implementation. Prior to versions 4.0.3, 5.x prior to 5.2.1 and 6.x through 8.x prior to 8.0.3, attempting... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-24001	Npm-diff-5.2.0	details Recommended version: 5.2.1 Description: jsdiff is a JavaScript text differencing implementation. Prior to versions 4.0.3, 5.x prior to 5.2.1 and 6.x through 8.x prior to 8.0.3, attempting... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

Fixed Issues (3)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2026-21884	Npm-react-router-5.3.4
	Client_Dangerous_File_Inclusion	/packages/bio-parsers/umd_demo.html: 3
	Client_Dangerous_File_Inclusion	/packages/ove/public/UMDDemo.html: 13

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR