node-lodash (4.17.4+dfsg-1ubuntu0.1~esm1) bionic-security; urgency=medium

  * SECURITY UPDATE: ReDoS in _.trim via toNumber
    - debian/patches/CVE-2020-28500.patch: restrict trim regex to
      prevent catastrophic backtracking on crafted input inlodash.js,
      test/test.js.
    - CVE-2020-28500
  * SECURITY UPDATE: prototype pollution via zipObjectDeep
    - debian/patches/CVE-2020-8203.patch: add path key blocklist in
      baseSet and baseUnset to reject __proto__ and constructor in
      lodash.js, test/test.js.
    - CVE-2020-8203
  * SECURITY UPDATE: command injection via _.template variable option
    - debian/patches/CVE-2021-23337.patch: validate variable names in
      template against reForbiddenIdentifierChars in lodash.js,
      test/test.js.
    - CVE-2021-23337
  * SECURITY UPDATE: prototype pollution in baseUnset
    - debian/patches/CVE-2025-13465.patch: add path traversal guards
      in baseUnset to block __proto__ and constructor.prototype paths in
      lodash.js, test/test.js.
    - CVE-2025-13465
  * SECURITY UPDATE: prototype pollution in baseUnset (bypass)
    - debian/patches/CVE-2026-2950.patch: use toKey() to normalize path
      segments and block constructor/prototype as non-terminal keys in
      lodash.js, test/test.js.
    - CVE-2026-2950
  * SECURITY UPDATE: command injection via _.template imports keys
    - debian/patches/CVE-2026-4800_1.patch: validate imports key names
      against reForbiddenIdentifierChars and switch assignInWith to
      assignWith in lodash.js, test/test.js.
    - debian/patches/CVE-2026-4800_2.patch: fix test references in
      test/test.js.
    - CVE-2026-4800

 -- Shafayat Hossain Majumder <shafayat.majumder@canonical.com>  Mon, 08 Jun 2026 09:36:26 -0400

node-lodash (4.17.4+dfsg-1) unstable; urgency=medium

  * New upstream release
  * Add debian/README.Debian to explain steps of using multi orig tarballs

 -- Pirate Praveen <praveen@debian.org>  Tue, 22 Aug 2017 22:54:01 +0530

node-lodash (4.16.6+dfsg-2) unstable; urgency=medium

  * Include per method js files (Closes: #849275)
  * Add myself to uploaders

 -- Pirate Praveen <praveen@debian.org>  Sun, 25 Dec 2016 12:58:16 +0530

node-lodash (4.16.6+dfsg-1) unstable; urgency=medium

  * Team upload

  [ Paolo Greppi ]
  * Fix build when /bin/sh is set to bash (see #841698).

  [ Sruthi Chandran ]
  * New upstream release (Closes: #842589)
  * Use gitlab mirror in debian/watch (github.com tag page cannot show
    latest releases)

 -- Sruthi Chandran <srud@disroot.org>  Thu, 10 Nov 2016 22:41:04 +0530

node-lodash (4.3.0+dfsg-1) experimental; urgency=medium

  * Team upload.
  * New upstream release.
  * Clean up debian/copyright

 -- Valentin OVD <valentin.ovd@live.fr>  Fri, 12 Feb 2016 15:02:12 +0200
 
node-lodash (3.9.3+dfsg-1) experimental; urgency=medium

  * Team upload.
  * New upstream release (Closes: #805282).
  * Ran wrap-and-sort -t -a.
  * Added public-domain license in debian/copyright.
  * Standards-Version is now 3.9.6.

 -- Thomas Goirand <zigo@debian.org>  Mon, 16 Nov 2015 11:37:25 +0000

node-lodash (2.4.1+dfsg-3) unstable; urgency=low

  * Add the missing licence (Closes: #751583)

 -- Valentin OVD <valentin.ovd@live.fr>  Thu, 19 Jun 2014 17:08:03 +0200

node-lodash (2.4.1+dfsg-2) unstable; urgency=low

  * Move javascript-common from recommends to depends for libjs-lodash

 -- Valentin OVD <valentin.ovd@live.fr>  Thu, 12 Jun 2014 16:19:58 +0200

node-lodash (2.4.1+dfsg-1) unstable; urgency=low

  * Initial release (Closes: #748610)

 -- Valentin OVD <valentin.ovd@live.fr>  Mon, 12 May 2014 16:19:58 +0200
