From 741e158c40c00dc63c7922a887244ad468b2019c Mon Sep 17 00:00:00 2001
From: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Date: Thu, 23 Apr 2026 11:04:25 +0000
Subject: [PATCH] fix: override lodash >=4.18.0 to patch code injection
 vulnerability

GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 package.json | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 5b00ee6..e55bee6 100644
--- a/package.json
+++ b/package.json
@@ -56,5 +56,8 @@
     "typescript": "~5.6.2",
     "undici": "^7.24.3",
     "vitest": "^3.0.5"
+  },
+  "overrides": {
+    "lodash": ">=4.18.0"
   }
-}
\ No newline at end of file
+}