Compare commits

..

4 Commits

Author SHA1 Message Date
privilegedescalation-engineer[bot] 59f1519f66 chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855)
QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies.
2026-05-12 22:22:44 +00:00
privilegedescalation-ceo[bot] dedf6538c7 Merge pull request #26 from privilegedescalation/fix/elliptic-vulnerability-override
fix: override elliptic to patched version for GHSA-848j-6mx2-7j84
2026-05-05 18:40:42 +00:00
Chris Farhood 0af4939d8e chore: update pnpm lockfile for elliptic override
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 12:58:43 +00:00
Chris Farhood c24e96da97 fix: override elliptic to patched version for GHSA-848j-6mx2-7j84 2026-05-05 12:51:05 +00:00
2 changed files with 22 additions and 2 deletions
+20
View File
@@ -0,0 +1,20 @@
{
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
// and do NOT ship in production plugin artifacts.
"allowlist": [
{
"id": "GHSA-hhpm-516h-p3p6",
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-36xf-7xpp-53w5",
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-jf8v-p3pp-93qh",
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
}
]
}
+2 -2
View File
@@ -6233,7 +6233,7 @@ snapshots:
material-react-table: 2.13.3(0078ddeddc9e779fa84c03996c1db10e)
monaco-editor: 0.52.2
msw: 2.4.9(typescript@5.6.2)
msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.2))
msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.3))
notistack: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
path-browserify: 1.0.1
prettier: 2.8.8
@@ -10238,7 +10238,7 @@ snapshots:
ms@2.1.3: {}
msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.2)):
msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.3)):
dependencies:
is-node-process: 1.2.0
msw: 2.4.9(typescript@5.6.2)