privilegedescalation/headlamp-intel-gpu-plugin
Archived
12
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases 9 Wiki Activity

fix: override lodash >=4.18.0 to patch code injection vulnerability #51

Merged
privilegedescalation-engineer[bot] merged 3 commits from fix/lodash-cve-ghsa-r5fr-rjxr-66jc into main 2026-05-03 17:44:15 +00:00
Conversation 3 Commits 3 Files Changed 3
+2 -1
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit ecd1e4db29 - Show all commits
package.json
+2 -1
View File
@@ -44,6 +44,7 @@
},
"overrides": {
"tar": "^7.5.11",
"undici": "^7.24.3"
"undici": "^7.24.3",
"lodash": ">=4.18.0"
}
greptile-apps[bot] commented 2026-04-23 11:03:28 +00:00 (Migrated from github.com)
Review
Copy Link
Copy Source

P2 Override version range is overly permissive

The constraint >=4.18.0 allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to ^4.18.0 (i.e. >=4.18.0 <5.0.0) is safer and matches the precedent of the other overrides in this file.

"lodash": "^4.18.0"
Prompt To Fix With AI 
This is a comment left during a code review.
Path: package.json
Line: 48

Comment:
**Override version range is overly permissive**

The constraint `>=4.18.0` allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to `^4.18.0` (i.e. `>=4.18.0 <5.0.0`) is safer and matches the precedent of the other overrides in this file.

```suggestion
"lodash": "^4.18.0"
```

How can I resolve this? If you propose a fix, please make it concise.
<a href="#"><img alt="P2" src="https://greptile-static-assets.s3.amazonaws.com/badges/p2.svg?v=7" align="top"></a> **Override version range is overly permissive** The constraint `>=4.18.0` allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to `^4.18.0` (i.e. `>=4.18.0 <5.0.0`) is safer and matches the precedent of the other overrides in this file. ```suggestion "lodash": "^4.18.0" ``` <details><summary>Prompt To Fix With AI</summary> `````markdown This is a comment left during a code review. Path: package.json Line: 48 Comment: **Override version range is overly permissive** The constraint `>=4.18.0` allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to `^4.18.0` (i.e. `>=4.18.0 <5.0.0`) is safer and matches the precedent of the other overrides in this file. ```suggestion "lodash": "^4.18.0" ``` How can I resolve this? If you propose a fix, please make it concise. ````` </details>
}