chore(SEC-10598): upgrade underscore to 1.13.8

[phantom-autopilot]

Summary

• Upgrades underscore from ^1.13.6 (resolved 1.13.7) to ^1.13.8 to address GHSA-qpx9-hpmf-5gmw / CVE-2026-27601 — unlimited recursion in _.flatten and _.isEqual (HIGH severity DoS).
• Updates yarn.lock and pnpm-lock.yaml accordingly.
• Adds a @phantom/synpress patch changeset.

Resolves SEC-10598.

Test plan

• yarn install succeeds with new version pinned in yarn.lock (1.13.8).
• node -e "require('underscore').VERSION" reports 1.13.8.
• coderabbit review reports no findings.
• CI on the PR is green (pre-existing lint/prettier issues on dev are out of scope).

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated underscore dependency to version 1.13.8

[phantom-autopilot]

PR opened by agent

#39

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7558f055-5a27-481f-9717-c3a2ca52a8a5

📥 Commits

Reviewing files that changed from the base of the PR and between ff82e55 and 7d7fdaa.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• .changeset/sec-10598-underscore-1-13-8.md
• package.json

---

📝 Walkthrough

Walkthrough

This PR upgrades the underscore dependency from 1.13.6 to 1.13.8 across @phantom/synpress to address security vulnerability GHSA-qpx9-hpmf-5gmw, documented in a new changeset entry.

Changes

Dependency Security Update

Layer / File(s)	Summary
Manifest Update package.json	underscore version bumped from ^1.13.6 to ^1.13.8 in dependencies.
Release Metadata .changeset/sec-10598-underscore-1-13-8.md	New changeset entry marks @phantom/synpress as patch with security upgrade description referencing CVE GHSA-qpx9-hpmf-5gmw.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly matches the main change: upgrading underscore to 1.13.8 and is concise, clear, and specific about the primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch autopilot2/sec-10598_high-upgrade-underscore-in-github-com-phantom-synpress-to-1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[phantom-autopilot]

PR opened by agent

Draft PR: #39

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​underscore@​1.13.7 ⏵ 1.13.8		+16	+1

View full report