fix: resolve lodash prototype pollution vulnerability (CVE-2025-13465)

[kherembourg]

Summary

• Add npm overrides in test-projects/rn-purchasely-test/package.json to force lodash to >=4.17.23
• Regenerated package-lock.json to resolve the vulnerable transitive dependency

Security

Fixes Dependabot alert #529 — lodash >= 4.0.0, <= 4.17.22 has a Prototype Pollution vulnerability in _.unset and _.omit functions (CVE-2025-13465, Medium severity).

Note: The main workspace already had a yarn resolution for lodash >= 4.17.23 (from PR #216). This fix addresses the remaining vulnerable instance in the RN test project's npm lock file.

Test plan

• npm install succeeds in RN test project
• Verified lodash resolves to 4.17.23 in lock file
• npm audit shows 0 vulnerabilities

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @kherembourg, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical security vulnerability (CVE-2025-13465) related to prototype pollution in lodash within the rn-purchasely-test project. It ensures that the test project's dependencies are updated to a secure version of lodash by introducing an npm override and regenerating the lock file, thereby mitigating the identified risk.

Highlights

• Security Vulnerability Resolution: Resolved the lodash prototype pollution vulnerability (CVE-2025-13465) specifically within the rn-purchasely-test project.
• Dependency Override: Enforced lodash version >=4.17.23 in the test-projects/rn-purchasely-test/package.json using npm overrides.
• Lock File Update: Regenerated package-lock.json to reflect the new lodash version and other updated dependencies, ensuring the fix is applied.

Changelog

• test-projects/rn-purchasely-test/package-lock.json
  • Updated lodash from 4.17.21 to 4.17.23.
  • Updated @purchasely/react-native-purchasely-android-player from 5.6.1 to 5.6.2.
  • Updated @purchasely/react-native-purchasely-google from 5.6.1 to 5.6.2.
  • Updated react-native-purchasely from 5.6.1 to 5.6.2.
• test-projects/rn-purchasely-test/package.json
  • Added an overrides section to explicitly enforce lodash version >=4.17.23.

Activity

• Fixed Dependabot alert #529 concerning a lodash prototype pollution vulnerability (CVE-2025-13465).
• Verified the fix through a test plan: npm install succeeded, lodash resolved to 4.17.23 in the lock file, and npm audit reported 0 vulnerabilities.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses the lodash prototype pollution vulnerability by using npm's overrides feature to enforce a secure version of lodash. My review includes a suggestion to make the version constraint in the override safer against potential future breaking changes.

[gemini-code-assist]

Using >= for the lodash version in overrides could be risky. If a new major version of lodash (e.g., 5.0.0) is released, npm might install it, which could introduce breaking changes. It's safer to use a caret ^ to restrict updates to minor and patch versions within the current major version. This ensures you get security patches without accidentally pulling in breaking changes.

Suggested change

	"lodash": ">=4.17.23"
	"lodash": "^4.17.23"