privilegedescalation/headlamp-intel-gpu-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases 9 Wiki Activity

fix: override lodash >=4.18.0 to patch code injection vulnerability #51

Merged
privilegedescalation-engineer[bot] merged 3 commits from fix/lodash-cve-ghsa-r5fr-rjxr-66jc into main 2026-05-03 17:44:15 +00:00
Conversation 3 Commits 3 Files Changed 3
+26 -17
3 changed files with 26 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
e2e/intel-gpu.spec.ts
+21 -13
View File
@@ -19,16 +19,18 @@ test.describe('Intel GPU plugin smoke tests', () => {
// Should navigate to the overview route
await expect(page).toHaveURL(/\/intel-gpu$/);
await expect(page.getByRole('heading', { name: /Intel GPU — Overview/i })).toBeVisible();
await expect(
page.locator('main').getByRole('heading', { name: 'Intel GPU — Overview' })
).toBeVisible();
});
test('overview page renders GPU device list or empty state', async ({ page }) => {
await page.goto('/c/main/intel-gpu');
// Overview heading should be present
await expect(page.getByRole('heading', { name: /Intel GPU — Overview/i })).toBeVisible({
timeout: 15_000,
});
await expect(
page.locator('main').getByRole('heading', { name: 'Intel GPU — Overview' })
).toBeVisible({ timeout: 15_000 });
// Either a populated table/list or an empty-state indicator must be visible
const hasTable = await page.locator('table').first().isVisible().catch(() => false);
@@ -43,9 +45,9 @@ test.describe('Intel GPU plugin smoke tests', () => {
test('device plugins page renders or shows empty state', async ({ page }) => {
await page.goto('/c/main/intel-gpu/device-plugins');
await expect(page.getByRole('heading', { name: /Intel GPU — Device Plugins/i })).toBeVisible({
timeout: 15_000,
});
await expect(
page.locator('main').getByRole('heading', { name: 'Intel GPU — Device Plugins' })
).toBeVisible({ timeout: 15_000 });
const hasTable = await page.locator('table').first().isVisible().catch(() => false);
const hasEmptyState = await page
@@ -61,18 +63,24 @@ test.describe('Intel GPU plugin smoke tests', () => {
// not after clicking the parent entry from the overview. Test route
// accessibility via direct navigation — each route must render its heading.
await page.goto('/c/main/intel-gpu');
await expect(page.getByRole('heading', { name: /Intel GPU — Overview/i })).toBeVisible({
timeout: 15_000,
});
await expect(
page.locator('main').getByRole('heading', { name: 'Intel GPU — Overview' })
).toBeVisible({ timeout: 15_000 });
await page.goto('/c/main/intel-gpu/nodes');
await expect(page.getByRole('heading', { name: /Intel GPU — Nodes/i })).toBeVisible({ timeout: 15_000 });
await expect(
page.locator('main').getByRole('heading', { name: 'Intel GPU — Nodes' })
).toBeVisible({ timeout: 15_000 });
await page.goto('/c/main/intel-gpu/pods');
await expect(page.getByRole('heading', { name: /Intel GPU — Pods/i })).toBeVisible({ timeout: 15_000 });
await expect(
page.locator('main').getByRole('heading', { name: 'Intel GPU — Pods' })
).toBeVisible({ timeout: 15_000 });
await page.goto('/c/main/intel-gpu/metrics');
await expect(page.getByRole('heading', { name: /Intel GPU — Metrics/i })).toBeVisible({ timeout: 15_000 });
await expect(
page.locator('main').getByRole('heading', { name: 'Intel GPU — Metrics' })
).toBeVisible({ timeout: 15_000 });
});
test('plugin settings page shows intel-gpu plugin entry', async ({ page }) => {
package-lock.json
Generated
+3 -3
View File
@@ -11600,9 +11600,9 @@
}
},
"node_modules/lodash": {
"version": "4.17.23",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
"integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
"version": "4.18.1",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
"integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
"dev": true,
"license": "MIT"
},
package.json
+2 -1
View File
@@ -44,6 +44,7 @@
},
"overrides": {
"tar": "^7.5.11",
"undici": "^7.24.3"
"undici": "^7.24.3",
"lodash": ">=4.18.0"
}
greptile-apps[bot] commented 2026-04-23 11:03:28 +00:00 (Migrated from github.com)
Review
Copy Link
Copy Source

P2 Override version range is overly permissive

The constraint >=4.18.0 allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to ^4.18.0 (i.e. >=4.18.0 <5.0.0) is safer and matches the precedent of the other overrides in this file.

"lodash": "^4.18.0"
Prompt To Fix With AI 
This is a comment left during a code review.
Path: package.json
Line: 48

Comment:
**Override version range is overly permissive**

The constraint `>=4.18.0` allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to `^4.18.0` (i.e. `>=4.18.0 <5.0.0`) is safer and matches the precedent of the other overrides in this file.

```suggestion
"lodash": "^4.18.0"
```

How can I resolve this? If you propose a fix, please make it concise.
<a href="#"><img alt="P2" src="https://greptile-static-assets.s3.amazonaws.com/badges/p2.svg?v=7" align="top"></a> **Override version range is overly permissive** The constraint `>=4.18.0` allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to `^4.18.0` (i.e. `>=4.18.0 <5.0.0`) is safer and matches the precedent of the other overrides in this file. ```suggestion "lodash": "^4.18.0" ``` <details><summary>Prompt To Fix With AI</summary> `````markdown This is a comment left during a code review. Path: package.json Line: 48 Comment: **Override version range is overly permissive** The constraint `>=4.18.0` allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to `^4.18.0` (i.e. `>=4.18.0 <5.0.0`) is safer and matches the precedent of the other overrides in this file. ```suggestion "lodash": "^4.18.0" ``` How can I resolve this? If you propose a fix, please make it concise. ````` </details>
}