Bump lodash.template, gulp, gulp-bower, gulp-spawn-mocha and gulp-typescript

[dependabot]

Bumps lodash.template to 4.18.1 and updates ancestor dependencies lodash.template, gulp, gulp-bower, gulp-spawn-mocha and gulp-typescript. These dependencies need to be updated together.

Updates lodash.template from 4.4.0 to 4.18.1

Release notes

Sourced from lodash.template's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates gulp from 3.9.1 to 5.0.1

Release notes

Sourced from gulp's releases.

gulp v5.0.1

Bug Fixes

• Avoid globbing before read stream is opened (#2839) (19122f3)
• Avoid Node.js deprecation warning for fs.Stats (#2838) (69a5d0e)
• Support top-level await on Node 22.12+ (#2836) (04b4a74)

gulp v5.0.0

We've tried to provide a high-level changelog for gulp v5 below, but it doesn't contain all changes from the 60+ dependencies that we maintain.

Please see individual changelogs to drill down into all changes that were made.

⚠ BREAKING CHANGES

• Drop support for Node.js <10.13
• Default stream encoding to UTF-8
• Standardized on anymatch library for globbing paths. All globs should work the same between src and watch now!
• Removed support for ordered globs. This aligns with the chokidar globbing implementation. If you need your globs to be ordered, you can use ordered-read-stream
• All globs and paths are normalized to unix-like filepaths
• Only allow JS variants for .gulp.* config files
• Removed support for alpha releases of v4 from gulp-cli
• Removed the --verify flag
• Renamed the --require flag to --preload to avoid conflicting with Node.js flags
• Removed many legacy and deprecated loaders
• Upgrade to chokidar v3
• Clone Vinyl objects with stream contents using teex, but no longer wait for all streams to flow before cloned streams will receive data
• Stop using process.umask() to make directories, instead falling back to Node's default mode
• Throw on non-function, non-string option coercers
• Drop support of Node.js snake_case flags
• Use a Symbol for attaching the gulplog namespace to the store
• Use a Symbol for attaching the gulplog store to the global
• Use sha256 to hash the v8flags cache into a filename

Features

• Streamlined the dependency tree
• Switch all streams implementation to Streamx
• Rewrote glob-stream to use a custom directory walk that relies on newer Node.js features and is more performant than old implementation
• Implement translation support for all CLI messages and all messages passing through gulplog
• Allow users to customize or remove the timestamp from their logs
• Upgraded gulplog to v2. Messages logged via v1 will also display a deprecated warning. Plugins should update to v2 as the community upgrades to gulp 5
• Added support for gulpile.cjs and gulpfile.mjs
• Add support for swc, esbuild, sucrase, and mdx loaders
• Provide an ESM export (#2760) (b00de68)
• Support sourcemap handling on streaming Vinyl contents

... (truncated)

Changelog

Sourced from gulp's changelog.

5.0.1 (2025-06-01)

Bug Fixes

• Avoid globbing before read stream is opened (#2839) (19122f3)
• Avoid Node.js deprecation warning for fs.Stats (#2838) (69a5d0e)
• Support top-level await on Node 22.12+ (#2836) (04b4a74)

5.0.0 (2024-03-29)

We've tried to provide a high-level changelog for gulp v5 below, but it doesn't contain all changes from the 60+ dependencies that we maintain.

Please see individual changelogs to drill down into all changes that were made.

⚠ BREAKING CHANGES

• Drop support for Node.js <10.13
• Default stream encoding to UTF-8
• Standardized on anymatch library for globbing paths. All globs should work the same between src and watch now!
• Removed support for ordered globs. This aligns with the chokidar globbing implementation. If you need your globs to be ordered, you can use ordered-read-stream
• All globs and paths are normalized to unix-like filepaths
• Only allow JS variants for .gulp.* config files
• Removed support for alpha releases of v4 from gulp-cli
• Removed the --verify flag
• Renamed the --require flag to --preload to avoid conflicting with Node.js flags
• Removed many legacy and deprecated loaders
• Upgrade to chokidar v3
• Clone Vinyl objects with stream contents using teex, but no longer wait for all streams to flow before cloned streams will receive data
• Stop using process.umask() to make directories, instead falling back to Node's default mode
• Throw on non-function, non-string option coercers
• Drop support of Node.js snake_case flags
• Use a Symbol for attaching the gulplog namespace to the store
• Use a Symbol for attaching the gulplog store to the global
• Use sha256 to hash the v8flags cache into a filename

Features

• Streamlined the dependency tree
• Switch all streams implementation to Streamx
• Rewrote glob-stream to use a custom directory walk that relies on newer Node.js features and is more performant than old implementation
• Implement translation support for all CLI messages and all messages passing through gulplog
• Allow users to customize or remove the timestamp from their logs
• Upgraded gulplog to v2. Messages logged via v1 will also display a deprecated warning. Plugins should update to v2 as the community upgrades to gulp 5
• Added support for gulpile.cjs and gulpfile.mjs
• Add support for swc, esbuild, sucrase, and mdx loaders
• Provide an ESM export (#2760) (b00de68)
• Support sourcemap handling on streaming Vinyl contents

... (truncated)

Commits

• 0003e9f chore: release 5.0.1 (#2837)
• 19122f3 fix: Avoid globbing before read stream is opened (#2839)
• 69a5d0e fix: Avoid Node.js deprecation warning for fs.Stats (#2838)
• 04b4a74 fix: Support top-level await on Node 22.12+ (#2836)
• c90e79e chore: Fix CI (#2835)
• 5412605 chore(docs): Update async completion document for newer RxJS (#2831)
• 2fa4981 chore: Update glob docs with replacement to ordered globs (#2788)
• fe9dee6 chore: Remove locale docs (#2787)
• a85eddb chore: Remove node-glob options from docs (#2786)
• 9c818e6 chore: update src.md docs to add encoding parameter
• Additional commits viewable in compare view

Updates gulp-bower from 0.0.13 to 0.0.15

Commits

• See full diff in compare view

Updates gulp-spawn-mocha from 3.3.1 to 6.0.0

Commits

• 8ead3ca 6.0.0
• 2ee66b2 Update mocha to latest version
• 154431f Merge pull request #62 from rsxdalv/master
• b6eef70 Fix security vulnerabilities in dependencies
• 114649a Merge pull request #70 from berkowitzi/error-on-null-exit-codes
• 16ac426 Throw an error upon unexpected termination of child process
• 026944d Upgrade dev dependencies, Gulp
• 8b5e7fd 5.0.1
• 4a5fdd4 Merge pull request #66 from leipert/master
• 1af74a9 migrate away from gulp-util
• Additional commits viewable in compare view

Updates gulp-typescript from 3.2.4 to 6.0.0-alpha.1

Release notes

Sourced from gulp-typescript's releases.

v5.0.1 - Resolve @​types in node_modules above current directory

• Fixes #563

v5.0.0 - Custom transforms & various fixes

Custom transforms

We added support for custom transformers. We added a similar API as awesome-typescript-loader.

You can pass aditional transforms to the compiler pipeline. We aligned with the interface of awesome-typescript-loader. You can specify transforms by setting the getCustomTransformers option.

The option expects a string, pointing at a module that exposes the transforms, or a function that returns the transforms. Its type is getCustomTransformers: (string | ((program: ts.Program) => ts.CustomTransformers | undefined)).

const styledComponentsTransformer = require('typescript-plugin-styled-components').default;
const project = ts.createProject('test/customTransformers/tsconfig.json', {
getCustomTransformers: () => ({
before: [
styledComponentsTransformer(),
]
});
});

Crash the build on errors

We now crash the build on errors. This is desired for CI environments. However, this is not desired for watch mode. Gulp 4 will automatically catch errors in watch mode. If you cannot update to gulp 4, you should attach an error handler to catch those compilation errors.

gulp.src(..)
  .pipe(ts(..))
  .on('error', () => { /* Ignore compiler errors */})
  .pipe(gulp.dest(..))

Bug fixes

• Mark node 8 as minimum requirement - #584
• Removed dependency on vinyl in generated typings - #567
• Use custom version of TypeScript in longReporter - #487
• Prevent duplicate errors with noEmitOnErrors - #543
• Fixed minimal support for project references - #595
• Removed source maps comments from .d.ts files - #596

5.0.0-alpha.3 - Fix fullReporter

Fixes the full reporter (#581)

5.0.0-alpha.2 - Project references

Added support for project references (#579, thanks to @​rbuckton)

v4.0.1 - Fix missing dependency

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.