The override "elliptic": ">=6.6.1" was added in PR #26 to address
GHSA-848j-6mx2-7j84 (CVE-2025-14505), but it is a no-op because
elliptic@6.6.1 IS the vulnerable version and no patched version exists.
No upstream fix is available — elliptic@6.6.1 is the latest release.
CTO decision: remove the no-op override, accept residual build-time risk.
Dependency is build-time only and not shipped to production.
Ref: PRI-1758, PRI-923
* fix: override lodash >=4.18.0 to patch code injection vulnerability
GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Regenerate lockfile for lodash override
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Adds the full plugin scaffold matching the Headlamp plugin pattern
(polaris, kube-vip, etc.):
- package.json with full devDependencies (Vitest, TypeScript, ESLint, Prettier)
- tsconfig.json, vitest.config.mts, vitest.setup.ts
- src/index.tsx with ArgoCDErrorBoundary and stub Applications route
- src/index.test.tsx smoke test to verify module importability
- CLAUDE.md documentation for future development
- .gitignore for node_modules/dist
- pnpm-lock.yaml pinned via packageManager field
ArtifactHub metadata already present (created by Hugh in PRI-186).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Gandalf the Greybeard
Chris Farhood