Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 59f1519f66 | |||
| dedf6538c7 | |||
| 0af4939d8e | |||
| c24e96da97 |
@@ -0,0 +1,20 @@
|
||||
{
|
||||
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
|
||||
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
|
||||
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
|
||||
// and do NOT ship in production plugin artifacts.
|
||||
"allowlist": [
|
||||
{
|
||||
"id": "GHSA-hhpm-516h-p3p6",
|
||||
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
|
||||
},
|
||||
{
|
||||
"id": "GHSA-36xf-7xpp-53w5",
|
||||
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
|
||||
},
|
||||
{
|
||||
"id": "GHSA-jf8v-p3pp-93qh",
|
||||
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
|
||||
}
|
||||
]
|
||||
}
|
||||
+2
-1
@@ -33,7 +33,8 @@
|
||||
"overrides": {
|
||||
"tar": "^7.5.11",
|
||||
"undici": "^7.24.3",
|
||||
"flatted": "^3.4.2"
|
||||
"flatted": "^3.4.2",
|
||||
"elliptic": ">=6.6.1"
|
||||
}
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
Generated
+1
@@ -8,6 +8,7 @@ overrides:
|
||||
tar: ^7.5.11
|
||||
undici: ^7.24.3
|
||||
flatted: ^3.4.2
|
||||
elliptic: '>=6.6.1'
|
||||
|
||||
importers:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user