From 741e158c40c00dc63c7922a887244ad468b2019c Mon Sep 17 00:00:00 2001 From: Gandalf the Greybeard Date: Thu, 23 Apr 2026 11:04:25 +0000 Subject: [PATCH 1/2] fix: override lodash >=4.18.0 to patch code injection vulnerability GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash below 4.18.0. The vulnerable transitive dependency comes through @kinvolk/headlamp-plugin. Co-Authored-By: Claude Opus 4.7 --- package.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index 5b00ee6..e55bee6 100644 --- a/package.json +++ b/package.json @@ -56,5 +56,8 @@ "typescript": "~5.6.2", "undici": "^7.24.3", "vitest": "^3.0.5" + }, + "overrides": { + "lodash": ">=4.18.0" } -} \ No newline at end of file +} -- 2.52.0 From 351e05f05238262b483dd0016cc7fbce3b8f9244 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sun, 3 May 2026 18:03:56 +0000 Subject: [PATCH 2/2] Regenerate lockfile for lodash override Co-Authored-By: Paperclip --- pnpm-lock.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 39fb734..d7a6565 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6235,7 +6235,7 @@ snapshots: jsdom: 24.1.3 jsonpath-plus: 10.4.0 lodash: 4.18.1 - material-react-table: 2.13.3(330725fe5432f245d076f0c0dda1a7a7) + material-react-table: 2.13.3(0078ddeddc9e779fa84c03996c1db10e) monaco-editor: 0.52.2 msw: 2.4.9(typescript@5.6.2) msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.3)) @@ -9937,7 +9937,7 @@ snapshots: '@types/minimatch': 3.0.5 minimatch: 3.1.5 - material-react-table@2.13.3(330725fe5432f245d076f0c0dda1a7a7): + material-react-table@2.13.3(0078ddeddc9e779fa84c03996c1db10e): dependencies: '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1) '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1) -- 2.52.0