fix: re-remove tar and undici from devDependencies (PRI-560)

The merge conflict resolution reverted the f0de1fa fix. Re-applied removal of duplicate tar@^7.5.11 and undici@^7.24.3 from devDependencies — both are already pinned via pnpm.overrides. Also removed the spurious overrides.lodash block that was reintroduced. Co-Authored-By: Paperclip <noreply@paperclip.ing>
chore: sync with main lockfile
2026-05-04 20:18:34 +00:00 · 2026-05-04 16:31:22 +00:00 · 2026-05-04 16:30:32 +00:00 · 2026-05-04 16:28:09 +00:00 · 2026-05-04 16:24:29 +00:00 · 2026-05-04 16:08:26 +00:00
9 changed files with 7 additions and 111 deletions
@@ -2,13 +2,9 @@ name: CI

 on:
  push:
-    branches: ['**']
+    branches: [main]
  pull_request:
-    branches: [main, dev]
-  workflow_dispatch:
-
-permissions:
-  contents: read
+    branches: [main]

 jobs:
  ci:
@@ -1,20 +0,0 @@
-name: Promotion Gate
-
-# Calls the shared promotion gate workflow.
-# dev PRs: no gate (engineer self-merges).
-# uat PRs: QA approval required.
-# main PRs: UAT approval required (uat→main promotions).
-
-on:
-  pull_request_review:
-    types: [submitted, dismissed]
-  pull_request:
-    branches: [uat, main]
-    types: [opened, reopened, synchronize]
-
-jobs:
-  promotion-gate:
-    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
-    secrets: inherit
-    with:
-      pr_number: ${{ github.event.pull_request.number }}
@@ -1,53 +0,0 @@
-{
-  "config": {
-    // Line length — not enforced for docs with code examples
-    "MD013": false,
-    // First line heading — files use YAML frontmatter, not headings
-    "MD041": false,
-    // Emphasis as heading — common pattern for Option 1/2/3 sections
-    "MD036": false,
-    // No duplicate heading — changelog files repeat section names intentionally
-    "MD024": false,
-    // Fenced code language — not always applicable for diagram blocks
-    "MD040": false,
-    // Table column style — table alignment is visual, not semantic
-    "MD060": false,
-    // Ordered list item prefix — number resets are intentional in documents
-    "MD029": false,
-    // No inline HTML — each elements are valid in valid Markdown
-    "MD033": false,
-    // List marker space — spacing after list markers varies by editor
-    "MD030": false,
-    // Blanks around headings — not always needed in compact docs
-    "MD022": false,
-    // Blanks around lists — not always needed in compact docs
-    "MD032": false,
-    // Blanks around fences — not always needed between adjacent blocks
-    "MD031": false,
-    // Multiple blanks — editor artifacts, not semantic
-    "MD012": false,
-    // Single title — files may have multiple H1 sections
-    "MD025": false,
-    // Trailing spaces — editor artifacts
-    "MD009": false,
-    // Bare URLs — URL shortening not always needed
-    "MD034": false,
-    // Single trailing newline — editor artifacts
-    "MD047": false,
-    // Trailing punctuation — heading punctuation is intentional
-    "MD026": false,
-    // Space in emphasis — double-asterisk bold spacing varies by renderer
-    "MD037": false,
-    // No hard tabs — some generated docs use tabs for indentation
-    "MD010": false,
-    // Code block style — generated docs may use inconsistent styles
-    "MD046": false,
-    // Comment style — generated docs have no comments
-    "MD048": false,
-    // Commands show output — shell examples intentionally show only commands
-    "MD014": false
-  },
-  "ignores": [
-    "docs/api-reference/generated/**"
-  ]
-}
@@ -1 +0,0 @@
-docs/api-reference/generated/**
@@ -1,4 +1,4 @@
-version: "0.1.2"
+version: "0.1.0"
 name: headlamp-argocd
 displayName: ArgoCD Headlamp Plugin
 createdAt: "2026-04-21T00:00:00Z"
@@ -26,8 +26,8 @@ maintainers:
 provider:
  name: privilegedescalation
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.2/privilegedescalation-headlamp-argocd-plugin-0.1.2.tar.gz"
-  headlamp/plugin/archive-checksum: sha256:e71f84913eed1fd7e2d074912e3bfa668c4b1fefcbb069731a4e4277a998ca28
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.0/headlamp-argocd-0.1.0.tar.gz"
+  headlamp/plugin/archive-checksum: "sha256:1f4df43f79b795bdf4f70e1e3aa5bacadf689ea5584fdadf92fb677faab21c2c"
  headlamp/plugin/version-compat: ">=0.26"
  headlamp/plugin/distro-compat: "in-cluster"
 changes:
@@ -1,20 +0,0 @@
-{
-  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
-  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
-  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
-  // and do NOT ship in production plugin artifacts.
-  "allowlist": [
-    {
-      "id": "GHSA-hhpm-516h-p3p6",
-      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-36xf-7xpp-53w5",
-      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-jf8v-p3pp-93qh",
-      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
-    }
-  ]
-}
@@ -1,6 +1,6 @@
 {
  "name": "@privilegedescalation/headlamp-argocd-plugin",
-  "version": "0.1.2",
+  "version": "0.1.0",
  "description": "Headlamp plugin for ArgoCD visibility — monitors ArgoCD Applications, Rollouts, and health status",
  "repository": {
    "type": "git",
@@ -33,8 +33,7 @@
    "overrides": {
      "tar": "^7.5.11",
      "undici": "^7.24.3",
-      "flatted": "^3.4.2",
-      "elliptic": ">=6.6.1"
+      "flatted": "^3.4.2"
    }
  },
  "devDependencies": {
@@ -8,7 +8,6 @@ overrides:
  tar: ^7.5.11
  undici: ^7.24.3
  flatted: ^3.4.2
-  elliptic: '>=6.6.1'

 importers:

@@ -1,4 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>privilegedescalation/.github:renovate-config"]
-}
Author	SHA1	Message	Date
Chris Farhood	dec9ab2ba8	fix: re-remove tar and undici from devDependencies (PRI-560) The merge conflict resolution reverted the `f0de1fa` fix. Re-applied removal of duplicate tar@^7.5.11 and undici@^7.24.3 from devDependencies — both are already pinned via pnpm.overrides. Also removed the spurious overrides.lodash block that was reintroduced. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 20:18:34 +00:00
Chris Farhood	d71d27ae5e	chore: sync with main lockfile Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 16:31:22 +00:00
Chris Farhood	f7868f787e	Resolve merge conflict: use main's pnpm-lock.yaml Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 16:30:32 +00:00
Chris Farhood	3e70399d1d	docs: update README Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 16:28:09 +00:00
Chris Farhood	8b1987f711	chore: retrigger CI after lockfile regeneration Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 16:24:29 +00:00
Chris Farhood	ac026d61db	chore: trigger CI after lockfile regeneration Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 16:08:26 +00:00
Chris Farhood	c2bcee6dc8	chore: regenerate pnpm lockfile after devDependency cleanup Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 16:00:09 +00:00
Chris Farhood	0c521be1a1	Remove duplicate tar/undici from devDependencies (already in pnpm.overrides) Consolidates dual override blocks by removing the duplicate entries from devDependencies. These packages are already pinned via pnpm.overrides and should not appear in devDependencies. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 02:21:10 +00:00