privilegedescalation/headlamp-argocd-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 2 Wiki Activity

Compare commits

merge into: privilegedescalation/headlamp-argocd-plugin:uat
Branches Tags
privilegedescalation/headlamp-argocd-plugin:main privilegedescalation/headlamp-argocd-plugin:gandalf/remove-ineffective-elliptic-override privilegedescalation/headlamp-argocd-plugin:gandalf/fix-echo-printf-pri-1757 privilegedescalation/headlamp-argocd-plugin:pri-1737-inline-release privilegedescalation/headlamp-argocd-plugin:gandalf/pri-1636-inline-dual-approval privilegedescalation/headlamp-argocd-plugin:inline-ci-workflow-1779274268 privilegedescalation/headlamp-argocd-plugin:inline-ci-af361e40 privilegedescalation/headlamp-argocd-plugin:fix-artifacthub-release privilegedescalation/headlamp-argocd-plugin:uat privilegedescalation/headlamp-argocd-plugin:hugh/argocd-e2e-final privilegedescalation/headlamp-argocd-plugin:hugh/add-e2e-workflow-argocd-plugin privilegedescalation/headlamp-argocd-plugin:hugh/fix-e2e-rbac-apply privilegedescalation/headlamp-argocd-plugin:hugh/add-e2e-final privilegedescalation/headlamp-argocd-plugin:gandalf/add-renovate-github-action privilegedescalation/headlamp-argocd-plugin:release/v0.1.3 privilegedescalation/headlamp-argocd-plugin:fix/elliptic-override-ghsa-848j-6mx2-7j84 privilegedescalation/headlamp-argocd-plugin:fix/elliptic-vulnerability-override privilegedescalation/headlamp-argocd-plugin:gandalf/fix-e2e-pri-657 privilegedescalation/headlamp-argocd-plugin:gandalf/pri-589-cleanup privilegedescalation/headlamp-argocd-plugin:gandalf/cleanup-duplicate-deps-package-json privilegedescalation/headlamp-argocd-plugin:gandalf/fix-duplicate-deps-pnpm-overrides privilegedescalation/headlamp-argocd-plugin:pr-9 privilegedescalation/headlamp-argocd-plugin:release/v0.1.2 privilegedescalation/headlamp-argocd-plugin:chore/add-renovate-config privilegedescalation/headlamp-argocd-plugin:chore/add-funding-yml-v2 privilegedescalation/headlamp-argocd-plugin:feat/scaffold privilegedescalation/headlamp-argocd-plugin:feat/page-injections privilegedescalation/headlamp-argocd-plugin:feat/application-detail privilegedescalation/headlamp-argocd-plugin:feat/applications-list
privilegedescalation/headlamp-argocd-plugin:v0.1.3 privilegedescalation/headlamp-argocd-plugin:v0.1.2
..
pull from: privilegedescalation/headlamp-argocd-plugin:fix/elliptic-override-ghsa-848j-6mx2-7j84
Branches Tags
privilegedescalation/headlamp-argocd-plugin:gandalf/remove-ineffective-elliptic-override privilegedescalation/headlamp-argocd-plugin:gandalf/fix-echo-printf-pri-1757 privilegedescalation/headlamp-argocd-plugin:pri-1737-inline-release privilegedescalation/headlamp-argocd-plugin:main privilegedescalation/headlamp-argocd-plugin:gandalf/pri-1636-inline-dual-approval privilegedescalation/headlamp-argocd-plugin:inline-ci-workflow-1779274268 privilegedescalation/headlamp-argocd-plugin:inline-ci-af361e40 privilegedescalation/headlamp-argocd-plugin:fix-artifacthub-release privilegedescalation/headlamp-argocd-plugin:uat privilegedescalation/headlamp-argocd-plugin:hugh/argocd-e2e-final privilegedescalation/headlamp-argocd-plugin:hugh/add-e2e-workflow-argocd-plugin privilegedescalation/headlamp-argocd-plugin:hugh/fix-e2e-rbac-apply privilegedescalation/headlamp-argocd-plugin:hugh/add-e2e-final privilegedescalation/headlamp-argocd-plugin:gandalf/add-renovate-github-action privilegedescalation/headlamp-argocd-plugin:release/v0.1.3 privilegedescalation/headlamp-argocd-plugin:fix/elliptic-override-ghsa-848j-6mx2-7j84 privilegedescalation/headlamp-argocd-plugin:fix/elliptic-vulnerability-override privilegedescalation/headlamp-argocd-plugin:gandalf/fix-e2e-pri-657 privilegedescalation/headlamp-argocd-plugin:gandalf/pri-589-cleanup privilegedescalation/headlamp-argocd-plugin:gandalf/cleanup-duplicate-deps-package-json privilegedescalation/headlamp-argocd-plugin:gandalf/fix-duplicate-deps-pnpm-overrides privilegedescalation/headlamp-argocd-plugin:pr-9 privilegedescalation/headlamp-argocd-plugin:release/v0.1.2 privilegedescalation/headlamp-argocd-plugin:chore/add-renovate-config privilegedescalation/headlamp-argocd-plugin:chore/add-funding-yml-v2 privilegedescalation/headlamp-argocd-plugin:feat/scaffold privilegedescalation/headlamp-argocd-plugin:feat/page-injections privilegedescalation/headlamp-argocd-plugin:feat/application-detail privilegedescalation/headlamp-argocd-plugin:feat/applications-list
privilegedescalation/headlamp-argocd-plugin:v0.1.3 privilegedescalation/headlamp-argocd-plugin:v0.1.2

2 Commits
uat .. fix/elliptic-override-ghsa-848j-6mx2-7j84

Author SHA1 Message Date
Chris Farhood 1c8ae3ac53 ci: refresh runner state for PR #26 
Trigger fresh CI run to rule out stale runner cache.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-05 18:36:41 +00:00
Chris Farhood 44d96aef57 fix: add elliptic override for GHSA-848j-6mx2-7j84 
Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic

Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-05 18:07:58 +00:00
3 changed files with 2 additions and 42 deletions
Expand all files Collapse all files
.github/workflows/dual-approval.yaml
-20
View File
@@ -1,20 +0,0 @@
name: Promotion Gate
# Calls the shared promotion gate workflow.
# dev PRs: no gate (engineer self-merges).
# uat PRs: QA approval required.
# main PRs: UAT approval required (uat→main promotions).
on:
pull_request_review:
types: [submitted, dismissed]
pull_request:
branches: [uat, main]
types: [opened, reopened, synchronize]
jobs:
promotion-gate:
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
secrets: inherit
with:
pr_number: ${{ github.event.pull_request.number }}
audit-ci.jsonc
-20
View File
@@ -1,20 +0,0 @@
{
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
// and do NOT ship in production plugin artifacts.
"allowlist": [
{
"id": "GHSA-hhpm-516h-p3p6",
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-36xf-7xpp-53w5",
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-jf8v-p3pp-93qh",
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
}
]
}
pnpm-lock.yaml
Generated
+2 -2
View File
@@ -6233,7 +6233,7 @@ snapshots:
material-react-table: 2.13.3(0078ddeddc9e779fa84c03996c1db10e)
monaco-editor: 0.52.2
msw: 2.4.9(typescript@5.6.2)
msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.3))
msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.2))
notistack: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
path-browserify: 1.0.1
prettier: 2.8.8
@@ -10238,7 +10238,7 @@ snapshots:
ms@2.1.3: {}
msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.3)):
msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.2)):
dependencies:
is-node-process: 1.2.0
msw: 2.4.9(typescript@5.6.2)