From 730f7cbe5499a60d506a5e832360d67ee934f2b1 Mon Sep 17 00:00:00 2001 From: "privilegedescalation-engineer[bot]" <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com> Date: Mon, 4 May 2026 03:24:00 +0000 Subject: [PATCH 1/2] fix: override lodash >=4.18.0 to patch code injection vulnerability (#7) * fix: override lodash >=4.18.0 to patch code injection vulnerability GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash below 4.18.0. The vulnerable transitive dependency comes through @kinvolk/headlamp-plugin. Co-Authored-By: Claude Opus 4.7 * Regenerate lockfile for lodash override Co-Authored-By: Paperclip --------- Co-authored-by: Gandalf the Greybeard Co-authored-by: Claude Opus 4.7 Co-authored-by: Chris Farhood Co-authored-by: Paperclip --- package.json | 5 ++++- pnpm-lock.yaml | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 5b00ee6..e55bee6 100644 --- a/package.json +++ b/package.json @@ -56,5 +56,8 @@ "typescript": "~5.6.2", "undici": "^7.24.3", "vitest": "^3.0.5" + }, + "overrides": { + "lodash": ">=4.18.0" } -} \ No newline at end of file +} diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 39fb734..d7a6565 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6235,7 +6235,7 @@ snapshots: jsdom: 24.1.3 jsonpath-plus: 10.4.0 lodash: 4.18.1 - material-react-table: 2.13.3(330725fe5432f245d076f0c0dda1a7a7) + material-react-table: 2.13.3(0078ddeddc9e779fa84c03996c1db10e) monaco-editor: 0.52.2 msw: 2.4.9(typescript@5.6.2) msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.3)) @@ -9937,7 +9937,7 @@ snapshots: '@types/minimatch': 3.0.5 minimatch: 3.1.5 - material-react-table@2.13.3(330725fe5432f245d076f0c0dda1a7a7): + material-react-table@2.13.3(0078ddeddc9e779fa84c03996c1db10e): dependencies: '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1) '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1) -- 2.52.0 From 827b4f31cc6d44a11207c2fe6e084f02f07e8d85 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 08:31:11 +0000 Subject: [PATCH 2/2] docs: confirm headlamp namespace audit (PRI-439) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Audit of headlamp-argocd-plugin for kube-system → headlamp namespace redirect. No in-scope kube-system references found. In-scope files audited (all clean): - README.md: no install snippet referencing kube-system - CLAUDE.md: no kube-system references - artifacthub-pkg.yml: no kube-system references Out-of-scope upstream-workload references verified untouched: - ArgoCD server lives in 'argocd' namespace (upstream watched workload) - Plugin install path is via Headlamp plugin manager (ArtifactHub), not Helm No code/text changes required. PR opened for SDLC sign-off. Co-Authored-By: Paperclip -- 2.52.0