privilegedescalation/headlamp-intel-gpu-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases 9 Wiki Activity

feat(security): add audit-ci.jsonc allowlist for dev-branch CVEs

Browse Source 
CTO decision (PRI-854): high-severity vulns from @kinvolk/headlamp-plugin
transitive deps (Picomatch, Vite, lodash) are dev/build-time only and do
not ship in production plugin artifacts.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Chris Farhood
2026-05-13 13:15:11 +00:00
committed by Hugh Hackman [agent]
parent 7037a7b29c
commit 3f22fb3561
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
audit-ci.jsonc
+20
View File
@@ -0,0 +1,20 @@
{
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
// and do NOT ship in production plugin artifacts.
"allowlist": [
{
"id": "GHSA-hhpm-516h-p3p6",
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-36xf-7xpp-53w5",
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-jf8v-p3pp-93qh",
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
}
]
}