fix: override lodash >=4.18.0 to patch code injection vulnerability (#51)

* fix: override lodash >=4.18.0 to patch code injection vulnerability GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash below 4.18.0. The vulnerable transitive dependency comes through @kinvolk/headlamp-plugin. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix: update package-lock.json to satisfy lodash override The package.json override requires lodash >=4.18.0, but the lockfile had 4.17.23. Regenerated lockfile with npm install --include=dev. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): scope heading locators to main content area Cherry-picked from PR #50 to fix E2E test failures on lodash PR. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-03 17:44:15 +00:00
parent 823e590513
commit 00c29e36dd
3 changed files with 26 additions and 17 deletions
@@ -19,16 +19,18 @@ test.describe('Intel GPU plugin smoke tests', () => {
    // Should navigate to the overview route
    await expect(page).toHaveURL(/\/intel-gpu$/);
-    await expect(page.getByRole('heading', { name: /Intel GPU — Overview/i })).toBeVisible();
+    await expect(
      page.locator('main').getByRole('heading', { name: 'Intel GPU — Overview' })
    ).toBeVisible();
  });
  test('overview page renders GPU device list or empty state', async ({ page }) => {
    await page.goto('/c/main/intel-gpu');
    // Overview heading should be present
-    await expect(page.getByRole('heading', { name: /Intel GPU — Overview/i })).toBeVisible({
+    await expect(
-      timeout: 15_000,
+      page.locator('main').getByRole('heading', { name: 'Intel GPU — Overview' })
-    });
+    ).toBeVisible({ timeout: 15_000 });
    // Either a populated table/list or an empty-state indicator must be visible
    const hasTable = await page.locator('table').first().isVisible().catch(() => false);
@@ -43,9 +45,9 @@ test.describe('Intel GPU plugin smoke tests', () => {
  test('device plugins page renders or shows empty state', async ({ page }) => {
    await page.goto('/c/main/intel-gpu/device-plugins');
-    await expect(page.getByRole('heading', { name: /Intel GPU — Device Plugins/i })).toBeVisible({
+    await expect(
-      timeout: 15_000,
+      page.locator('main').getByRole('heading', { name: 'Intel GPU — Device Plugins' })
-    });
+    ).toBeVisible({ timeout: 15_000 });
    const hasTable = await page.locator('table').first().isVisible().catch(() => false);
    const hasEmptyState = await page
@@ -61,18 +63,24 @@ test.describe('Intel GPU plugin smoke tests', () => {
    // not after clicking the parent entry from the overview. Test route
    // accessibility via direct navigation — each route must render its heading.
    await page.goto('/c/main/intel-gpu');
-    await expect(page.getByRole('heading', { name: /Intel GPU — Overview/i })).toBeVisible({
+    await expect(
-      timeout: 15_000,
+      page.locator('main').getByRole('heading', { name: 'Intel GPU — Overview' })
-    });
+    ).toBeVisible({ timeout: 15_000 });
    await page.goto('/c/main/intel-gpu/nodes');
-    await expect(page.getByRole('heading', { name: /Intel GPU — Nodes/i })).toBeVisible({ timeout: 15_000 });
+    await expect(
      page.locator('main').getByRole('heading', { name: 'Intel GPU — Nodes' })
    ).toBeVisible({ timeout: 15_000 });
    await page.goto('/c/main/intel-gpu/pods');
-    await expect(page.getByRole('heading', { name: /Intel GPU — Pods/i })).toBeVisible({ timeout: 15_000 });
+    await expect(
      page.locator('main').getByRole('heading', { name: 'Intel GPU — Pods' })
    ).toBeVisible({ timeout: 15_000 });
    await page.goto('/c/main/intel-gpu/metrics');
-    await expect(page.getByRole('heading', { name: /Intel GPU — Metrics/i })).toBeVisible({ timeout: 15_000 });
+    await expect(
      page.locator('main').getByRole('heading', { name: 'Intel GPU — Metrics' })
    ).toBeVisible({ timeout: 15_000 });
  });
  test('plugin settings page shows intel-gpu plugin entry', async ({ page }) => {
@@ -11600,9 +11600,9 @@
      }
    },
    "node_modules/lodash": {
-      "version": "4.17.23",
+      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
      "dev": true,
      "license": "MIT"
    },
@@ -44,6 +44,7 @@
  },
  "overrides": {
    "tar": "^7.5.11",
-    "undici": "^7.24.3"
+    "undici": "^7.24.3",
    "lodash": ">=4.18.0"
  }
 }