Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Chris Farhood
|
44bd2a5637 |
@@ -14,7 +14,6 @@ on:
|
||||
|
||||
jobs:
|
||||
dual-approval:
|
||||
if: github.event.pull_request != null
|
||||
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
||||
secrets: inherit
|
||||
with:
|
||||
|
||||
@@ -1,21 +0,0 @@
|
||||
name: Mend Renovate GitHub App Token
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
outputs:
|
||||
token:
|
||||
description: "Short-lived GitHub App installation token"
|
||||
value: ${{ jobs.app-token.outputs.token }}
|
||||
|
||||
jobs:
|
||||
app-token:
|
||||
runs-on: runners-privilegedescalation
|
||||
outputs:
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
steps:
|
||||
- name: Generate GitHub App token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@v3
|
||||
with:
|
||||
app-id: ${{ secrets.RELEASE_APP_ID }}
|
||||
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
|
||||
@@ -5,9 +5,3 @@ dist/
|
||||
.env
|
||||
.env.local
|
||||
.eslintcache
|
||||
|
||||
# E2E
|
||||
e2e/.auth/
|
||||
.env.e2e
|
||||
playwright-report/
|
||||
test-results/
|
||||
|
||||
-25
@@ -22,28 +22,3 @@ All data is fetched through Headlamp's built-in API proxy, which respects the us
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
|
||||
|
||||
## Known Low-Severity Vulnerabilities
|
||||
|
||||
### GHSA-848j-6mx2-7j84 (elliptic)
|
||||
|
||||
**Severity:** High (but not exploitable in this plugin's context)
|
||||
|
||||
**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`)
|
||||
|
||||
**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
|
||||
- Use of `elliptic` curve operations on untrusted input, AND
|
||||
- Ability for an attacker to influence the `elliptic` curve key generation input
|
||||
|
||||
Neither condition is met in this plugin's runtime context.
|
||||
|
||||
**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint.
|
||||
|
||||
**Risk acceptance rationale:**
|
||||
1. Plugin has no write operations against the cluster
|
||||
2. All data flows through Headlamp's API proxy with standard RBAC enforcement
|
||||
3. The vulnerable dependency is only in the development/build toolchain, not runtime
|
||||
4. No untrusted input can reach `elliptic` curve operations through this plugin
|
||||
|
||||
**Review date:** 2026-05-05
|
||||
**Reviewed by:** Hugh Hackman (VP Engineering Operations)
|
||||
|
||||
+1
-4
@@ -31,10 +31,7 @@
|
||||
},
|
||||
"overrides": {
|
||||
"tar": "^7.5.11",
|
||||
"undici": "^7.24.3",
|
||||
"lodash": ">=4.18.0",
|
||||
"vite": ">=6.4.2",
|
||||
"elliptic": ">=6.6.1"
|
||||
"undici": "^7.24.3"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@headlamp-k8s/eslint-config": "^0.6.0",
|
||||
|
||||
Generated
+850
-971
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user