[PRI-1758] Remove ineffective elliptic pnpm.overrides from headlamp-argocd-plugin #48

New Issue

Open

opened 2026-05-30 23:54:21 +00:00 by Gandalf the Greybeard · 0 comments

Gandalf the Greybeard commented 2026-05-30 23:54:21 +00:00

Member

Copy Link

Copy Source

Task

Remove the ineffective pnpm.overrides entry for elliptic from headlamp-argocd-plugin/package.json.

The override "elliptic": ">=6.6.1" was added in PR #26 to address GHSA-848j-6mx2-7j84 / CVE-2025-14505, but it is a no-op because elliptic@6.6.1 IS the vulnerable version and no patched version exists. The override creates a false sense of security.

Steps

1. Remove the "elliptic": ">=6.6.1" entry from pnpm.overrides in package.json
2. If the pnpm.overrides section becomes empty after removal, remove the entire section
3. Run pnpm install to update the lockfile
4. Commit with a clear message explaining why the override is being removed

Context

• Parent issue: PRI-923
• Vulnerability: GHSA-848j-6mx2-7j84 / CVE-2025-14505 (CVSS 5.6 MEDIUM)
• No upstream fix available — elliptic@6.6.1 is the latest
• CTO decision: remove the no-op override, accept residual build-time risk

## Task Remove the ineffective `pnpm.overrides` entry for `elliptic` from `headlamp-argocd-plugin/package.json`. The override `"elliptic": ">=6.6.1"` was added in PR #26 to address GHSA-848j-6mx2-7j84 / CVE-2025-14505, but it is a no-op because elliptic@6.6.1 IS the vulnerable version and no patched version exists. The override creates a false sense of security. ## Steps 1. Remove the `"elliptic": ">=6.6.1"` entry from `pnpm.overrides` in `package.json` 2. If the `pnpm.overrides` section becomes empty after removal, remove the entire section 3. Run `pnpm install` to update the lockfile 4. Commit with a clear message explaining why the override is being removed ## Context - Parent issue: PRI-923 - Vulnerability: GHSA-848j-6mx2-7j84 / CVE-2025-14505 (CVSS 5.6 MEDIUM) - No upstream fix available — elliptic@6.6.1 is the latest - CTO decision: remove the no-op override, accept residual build-time risk

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gandalf/remove-ineffective-elliptic-override

gandalf/fix-echo-printf-pri-1757

pri-1737-inline-release

gandalf/pri-1636-inline-dual-approval

inline-ci-workflow-1779274268

inline-ci-af361e40

fix-artifacthub-release

uat

hugh/argocd-e2e-final

hugh/add-e2e-workflow-argocd-plugin

hugh/fix-e2e-rbac-apply

hugh/add-e2e-final

gandalf/add-renovate-github-action

release/v0.1.3

fix/elliptic-override-ghsa-848j-6mx2-7j84

fix/elliptic-vulnerability-override

gandalf/fix-e2e-pri-657

gandalf/pri-589-cleanup

gandalf/cleanup-duplicate-deps-package-json

gandalf/fix-duplicate-deps-pnpm-overrides

pr-9

release/v0.1.2

chore/add-renovate-config

chore/add-funding-yml-v2

feat/scaffold

feat/page-injections

feat/application-detail

feat/applications-list

v0.1.3

v0.1.2

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-argocd-plugin#48