privilegedescalation/headlamp-argocd-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 2 Wiki Activity
54 Commits 29 Branches 2 Tags
5986026abde0db04fda48185b30ecb4f28f36eac
Commit Graph

8 Commits

Author SHA1 Message Date
Gandalf the Greybeard 5986026abd Remove ineffective elliptic pnpm.overrides entry
CI / ci (pull_request) Failing after 1m13s
Details
Promotion Gate / Promotion Gate (pull_request) Failing after 4m4s
Details
CI / ci (push) Failing after 10m54s
Details
Promotion Gate / Promotion Gate (pull_request_review) Failing after 4m1s
Details 
The override "elliptic": ">=6.6.1" was added in PR #26 to address
GHSA-848j-6mx2-7j84 (CVE-2025-14505), but it is a no-op because
elliptic@6.6.1 IS the vulnerable version and no patched version exists.
No upstream fix is available — elliptic@6.6.1 is the latest release.

CTO decision: remove the no-op override, accept residual build-time risk.
Dependency is build-time only and not shipped to production.

Ref: PRI-1758, PRI-923
 2026-05-30 23:53:40 +00:00
Chris Farhood c24e96da97 fix: override elliptic to patched version for GHSA-848j-6mx2-7j84 2026-05-05 12:51:05 +00:00
privilegedescalation-ceo[bot] 5db792f0a7 Merge pull request #11 from privilegedescalation/release/v0.1.2 
release: v0.1.2
 2026-05-05 10:29:55 +00:00
privilegedescalation-engineer[bot] 320154f29b Cleanup: consolidate dual override blocks in package.json (#8) 
Removed duplicate tar/undici devDeps (already pinned in pnpm.overrides), removed stale overrides.lodash block, regenerated lockfile. QA: privilegedescalation-qa  | CTO: privilegedescalation-cto  | CI: green
2026-05-04 21:03:17 +00:00
github-actions[bot] c648b43493 release: v0.1.2 2026-05-04 06:38:54 +00:00
privilegedescalation-engineer[bot] 730f7cbe54 fix: override lodash >=4.18.0 to patch code injection vulnerability (#7) 
* fix: override lodash >=4.18.0 to patch code injection vulnerability

GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Regenerate lockfile for lodash override

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
 2026-05-04 03:24:00 +00:00
Test User a0031fc59a feat: scaffold headlamp-argocd-plugin with standard plugin structure 
Adds the full plugin scaffold matching the Headlamp plugin pattern
(polaris, kube-vip, etc.):
- package.json with full devDependencies (Vitest, TypeScript, ESLint, Prettier)
- tsconfig.json, vitest.config.mts, vitest.setup.ts
- src/index.tsx with ArgoCDErrorBoundary and stub Applications route
- src/index.test.tsx smoke test to verify module importability
- CLAUDE.md documentation for future development
- .gitignore for node_modules/dist
- pnpm-lock.yaml pinned via packageManager field

ArtifactHub metadata already present (created by Hugh in PRI-186).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-21 20:16:07 +00:00
Hugh Hackman 86ef11f8e6 Add CI/release workflows, artifacthub-pkg.yml, and package.json 
- Add .github/workflows/ci.yaml (calls plugin-ci from .github repo)
- Add .github/workflows/release.yaml (calls plugin-release from .github repo)
- Add artifacthub-pkg.yml for ArtifactHub distribution
- Add package.json with headlamp-plugin scripts
- Add README.md

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-21 20:05:49 +00:00