Hi 👋
Please could you look at updating to the latest lodash dependency >=4.18.1. It's currently pinned to 4.17.21 across all @nivo packages, which has a known Arbitrary Code Injection vulnerability reported in April 2026.
The vulnerability fix is available in 4.18.1 (note: 4.18.0 was deprecated immediately due to a breaking regression, so 4.18.1 is the one to target).
References:
In the meantime, an interim workaround for consumers would be to add an override to their package.json with:
"overrides": {
"lodash": ">=4.18.1"
}
Thanks for maintaining Nivo! 🏆 🙌
Hi 👋
Please could you look at updating to the latest lodash dependency
>=4.18.1. It's currently pinned to4.17.21across all @nivo packages, which has a known Arbitrary Code Injection vulnerability reported in April 2026.The vulnerability fix is available in
4.18.1(note: 4.18.0 was deprecated immediately due to a breaking regression, so 4.18.1 is the one to target).References:
In the meantime, an interim workaround for consumers would be to add an override to their package.json with:
Thanks for maintaining Nivo! 🏆 🙌