Bump underscore from 1.4.4 to 1.13.8

[dependabot]

Bumps underscore from 1.4.4 to 1.13.8.

Commits

• 9374840 Merge branch 'release/1.13.8'
• 309ad7e Re-generate annotated sources and minified codemaps
• a1ac1d3 Add links to diff and docs in 1.13.8 change log entry
• b579595 Mention CVE-2026-27601 in comments and documentation (#3011)
• 45ea015 Revert obfuscations from 42823bb.
• 4a4019e Update minified bundles
• 1ccfdd0 Add preliminary release notes for 1.13.8
• 42823bb Temporarily obfuscate comments
• a6e23ae Make _.isEqual nonrecursive
• f2b5164 Add regression test against stack overflow in _.isEqual
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jgonggrijp, a new releaser for underscore since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

🗄️ Schema Change: No Changes ✅

[github-actions]

🛠️ Item Splitting: No Changes ✅

[github-actions]

Size Change: 0 B

Total Size: 486 kB

ℹ️ View Unchanged

Filename	Size
packages/kas/dist/es/index.js	20.8 kB
packages/keypad-context/dist/es/index.js	1 kB
packages/kmath/dist/es/index.js	5.96 kB
packages/math-input/dist/es/index.js	98.5 kB
packages/math-input/dist/es/strings.js	1.61 kB
packages/perseus-core/dist/es/index.item-splitting.js	11.8 kB
packages/perseus-core/dist/es/index.js	24.9 kB
packages/perseus-editor/dist/es/index.js	100 kB
packages/perseus-linter/dist/es/index.js	8.82 kB
packages/perseus-score/dist/es/index.js	9.26 kB
packages/perseus-utils/dist/es/index.js	403 B
packages/perseus/dist/es/index.js	187 kB
packages/perseus/dist/es/strings.js	7.47 kB
packages/pure-markdown/dist/es/index.js	1.39 kB
packages/simple-markdown/dist/es/index.js	6.71 kB

_{compressed-size-action}

[github-actions]

npm Snapshot: Published

Good news!! We've packaged up the latest commit from this PR (69611a0) and published it to npm. You
can install it using the tag PR3342.

Example:

pnpm add @khanacademy/perseus@PR3342

If you are working in Khan Academy's frontend, you can run the below command.

./dev/tools/bump_perseus_version.ts -t PR3342

If you are working in Khan Academy's webapp, you can run the below command.

./dev/tools/bump_perseus_version.js -t PR3342

[claude]

🔴 The peerDeps catalog entry for underscore on line 62 still says ^1.4.4, but devDeps was bumped to 1.13.8. Per the convention documented in the file header (lines 21-23), peerDeps should be ^1.13.8 so the pinned devDeps version sits at the bottom of the peer range. This means consumers using underscore 1.4.4–1.13.7 would satisfy the peer dep despite being untested and still affected by the CVE this PR is meant to fix.

Extended reasoning...

What the bug is

This PR (generated by Dependabot) bumps underscore from 1.4.4 to 1.13.8 in the devDeps catalog (line 102 of pnpm-workspace.yaml), but does not update the corresponding peerDeps catalog entry on line 62, which still reads underscore: ^1.4.4.

The convention being violated

Lines 21–23 of pnpm-workspace.yaml explicitly document the project’s convention:

The sync-dependencies.ts script ensures that peer deps are always specified as a range, and the dev deps are always pinned to the version at the bottom of that range.

Every other package in the file follows this pattern. For example:

• react: devDeps 18.2.0 / peerDeps ^18.2.0
• jquery: devDeps 2.1.1 / peerDeps ^2.1.1
• aphrodite: devDeps 1.2.5 / peerDeps ^1.2.5

After this PR, underscore is the only package where the convention is violated: devDeps 1.13.8 but peerDeps ^1.4.4.

Step-by-step proof of the issue

1. A consumer installs underscore@1.5.0 in their project.
2. They depend on @khanacademy/perseus (or any of the 5 other packages that use catalog:peerDeps for underscore: perseus-editor, kas, perseus-score, perseus-core, kmath).
3. pnpm resolves the peer dependency underscore: ^1.4.4 — version 1.5.0 satisfies this range.
4. No peer dependency warning is raised.
5. However, Perseus was only tested against underscore 1.13.8. Version 1.5.0 may have different behavior (e.g., _.isEqual stack overflow bug fixed in 1.13.8, and the CVE-2026-27601 that this PR is specifically meant to address).
6. The consumer unknowingly runs with a vulnerable, untested version of underscore.

Why Dependabot missed this

Dependabot only knows about standard package.json dependency fields. It bumped the devDeps catalog entry in pnpm-workspace.yaml but has no awareness of the project-specific peerDeps catalog convention. The sync-dependencies.ts script mentioned in the file header is meant to handle this synchronization, but it wasn’t run as part of the Dependabot PR.

Impact

Six packages declare "underscore": "catalog:peerDeps" in their peerDependencies: perseus, perseus-editor, kas, perseus-score, perseus-core, and kmath. All of these would advertise ^1.4.4 as their accepted underscore range, silently allowing consumers to use vulnerable versions that were never tested against.

Fix

Update line 62 of pnpm-workspace.yaml from underscore: ^1.4.4 to underscore: ^1.13.8.