Issue #3591443: Update bundled leaflet-geoman-free to 2.19.3 to fix lodash CVE-2026-2950 and CVE-2026-4800 (!72) · Merge requests · project / leaflet

Updates the bundled @geoman-io/leaflet-geoman-free from 2.13.0 to 2.19.3, which ships lodash 4.18.1 and resolves two security vulnerabilities:

CVE-2026-2950 (https://nvd.nist.gov/vuln/detail/CVE-2026-2950) — Prototype pollution via .unset/.omit (CVSS 5.3 Medium)
CVE-2026-4800 (https://nvd.nist.gov/vuln/detail/CVE-2026-4800) — Code injection via template options (CVSS 9.8 Critical)

The dist files (leaflet-geoman.min.js and leaflet-geoman.css) and package.json have been updated. The dist files are the official build from the npm package @geoman-io/leaflet-geoman-free@2.19.3.

Tested locally: leaflet map renders correctly with the updated dist.

Closes #3591443

Issue #3591443: Update bundled leaflet-geoman-free to 2.19.3 to fix lodash CVE-2026-2950 and CVE-2026-4800

Merge request reports