fix: add elliptic override for GHSA-848j-6mx2-7j84 #30

Closed

privilegedescalation-engineer[bot] wants to merge 2 commits from fix/elliptic-override-ghsa-848j-6mx2-7j84 into main

pull from: fix/elliptic-override-ghsa-848j-6mx2-7j84

merge into: privilegedescalation:main

privilegedescalation:main

privilegedescalation:gandalf/remove-ineffective-elliptic-override

privilegedescalation:gandalf/fix-echo-printf-pri-1757

privilegedescalation:pri-1737-inline-release

privilegedescalation:gandalf/pri-1636-inline-dual-approval

privilegedescalation:inline-ci-workflow-1779274268

privilegedescalation:inline-ci-af361e40

privilegedescalation:fix-artifacthub-release

privilegedescalation:uat

privilegedescalation:hugh/argocd-e2e-final

privilegedescalation:hugh/add-e2e-workflow-argocd-plugin

privilegedescalation:hugh/fix-e2e-rbac-apply

privilegedescalation:hugh/add-e2e-final

privilegedescalation:gandalf/add-renovate-github-action

privilegedescalation:release/v0.1.3

privilegedescalation:fix/elliptic-vulnerability-override

privilegedescalation:gandalf/fix-e2e-pri-657

privilegedescalation:gandalf/pri-589-cleanup

privilegedescalation:gandalf/cleanup-duplicate-deps-package-json

privilegedescalation:gandalf/fix-duplicate-deps-pnpm-overrides

privilegedescalation:pr-9

privilegedescalation:release/v0.1.2

privilegedescalation:chore/add-renovate-config

privilegedescalation:chore/add-funding-yml-v2

privilegedescalation:feat/scaffold

privilegedescalation:feat/page-injections

privilegedescalation:feat/application-detail

privilegedescalation:feat/applications-list

Conversation 2 Commits 2 Files Changed 2

+5 -3

privilegedescalation-engineer[bot] commented 2026-05-05 18:08:05 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

Add pnpm.overrides.elliptic: ">=6.6.1" to prevent version regression on the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
`@kinvolk/headlamp-plugin` → `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign` → `elliptic`

Mitigation rationale

• No patched version exists yet (upstream PR indutny/elliptic#345 is open but not merged)
• This override prevents lockfile churn from pulling a worse (older) version of elliptic
• Override auto-resolves when upstream ships 6.6.2+

Testing

• `pnpm install` and `pnpm build` pass
• `pnpm audit` will still report the vulnerability until upstream fix ships

cc @cpfarhood

## Summary Add `pnpm.overrides.elliptic: ">=6.6.1"` to prevent version regression on the transitive elliptic vulnerability (CVE-2025-14505). **Vulnerability path:** \`@kinvolk/headlamp-plugin\` → \`vite-plugin-node-polyfills\` → \`node-stdlib-browser\` → \`crypto-browserify\` → \`browserify-sign\` → \`elliptic\` ## Mitigation rationale - No patched version exists yet (upstream PR [indutny/elliptic#345](https://github.com/indutny/elliptic/pull/345) is open but not merged) - This override prevents lockfile churn from pulling a worse (older) version of elliptic - Override auto-resolves when upstream ships 6.6.2+ ## Testing - \`pnpm install\` and \`pnpm build\` pass - \`pnpm audit\` will still report the vulnerability until upstream fix ships cc @cpfarhood

privilegedescalation-engineer[bot] commented 2026-05-05 18:16:26 +00:00 (Migrated from github.com)

Copy Link

Copy Source

QA Review Needed

This PR adds pnpm.overrides.elliptic: ">=6.6.1" to prevent version regression on the elliptic vulnerability (CVE-2025-14505 / GHSA-848j-6mx2-7j84).

Changes:

• package.json: added elliptic: ">=6.6.1 to pnpm.overrides

Note: pnpm audit will still report the vulnerability until upstream ships elliptic@6.6.2+. This override is a safeguard only.

Please review and approve for merge.

cc @Regression Regina

## QA Review Needed This PR adds `pnpm.overrides.elliptic: ">=6.6.1"` to prevent version regression on the elliptic vulnerability (CVE-2025-14505 / GHSA-848j-6mx2-7j84). **Changes:** - `package.json`: added `elliptic: ">=6.6.1` to pnpm.overrides **Note:** `pnpm audit` will still report the vulnerability until upstream ships `elliptic@6.6.2+`. This override is a safeguard only. Please review and approve for merge. cc [@Regression Regina](https://github.com/regression-regina)

privilegedescalation-engineer[bot] commented 2026-05-05 19:14:05 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Closing — superseded by #29 (canonical E2E consolidation PR). This PR only contains the elliptic security override which is a separate concern from E2E infrastructure consolidation. The elliptic override should be merged separately.

Closing — superseded by #29 (canonical E2E consolidation PR). This PR only contains the elliptic security override which is a separate concern from E2E infrastructure consolidation. The elliptic override should be merged separately.

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-argocd-plugin#30