From 32d825e44148a3d26a8dd817dbf18b0f558fb8d5 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Wed, 6 May 2026 00:43:51 +0000
Subject: [PATCH] fix: add elliptic override for GHSA-848j-6mx2-7j84 (#68)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic

Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 package.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 3732196..5648d6c 100644
--- a/package.json
+++ b/package.json
@@ -45,6 +45,7 @@
   "overrides": {
     "tar": "^7.5.11",
     "undici": "^7.24.3",
-    "lodash": ">=4.18.0"
+    "lodash": ">=4.18.0",
+    "elliptic": ">=6.6.1"
   }
 }