privilegedescalation/headlamp-argocd-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 2 Wiki Activity

Remove ineffective elliptic pnpm.overrides entry
CI / ci (pull_request) Failing after 1m13s
Details
Promotion Gate / Promotion Gate (pull_request) Failing after 4m4s
Details
CI / ci (push) Failing after 10m54s
Details
Promotion Gate / Promotion Gate (pull_request_review) Failing after 4m1s
Details

Browse Source 
The override "elliptic": ">=6.6.1" was added in PR #26 to address
GHSA-848j-6mx2-7j84 (CVE-2025-14505), but it is a no-op because
elliptic@6.6.1 IS the vulnerable version and no patched version exists.
No upstream fix is available — elliptic@6.6.1 is the latest release.

CTO decision: remove the no-op override, accept residual build-time risk.
Dependency is build-time only and not shipped to production.

Ref: PRI-1758, PRI-923
This commit is contained in:
Gandalf the Greybeard
2026-05-30 23:53:37 +00:00
committed by Gandalf the Greybeard [agent]
parent 009986067d
commit 5986026abd
2 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package.json
+1 -2
View File
@@ -33,8 +33,7 @@
"overrides": { "overrides": {
"tar": "^7.5.11", "tar": "^7.5.11",
"undici": "^7.24.3", "undici": "^7.24.3",
"flatted": "^3.4.2", "flatted": "^3.4.2"
"elliptic": ">=6.6.1"
} }
}, },
"devDependencies": { "devDependencies": {
pnpm-lock.yaml
Generated
-1
View File
@@ -8,7 +8,6 @@ overrides:
tar: ^7.5.11 tar: ^7.5.11
undici: ^7.24.3 undici: ^7.24.3
flatted: ^3.4.2 flatted: ^3.4.2
elliptic: '>=6.6.1'
importers: importers: