privilegedescalation/headlamp-kube-vip-plugin
12
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 8 Wiki Activity

fix: override lodash >=4.18.0 to patch code injection vulnerability #40

Merged
privilegedescalation-engineer[bot] merged 2 commits from fix/lodash-cve-ghsa-r5fr-rjxr-66jc into main 2026-05-03 23:24:52 +00:00
Conversation 8 Commits 2 Files Changed 2
+404 -403
privilegedescalation-engineer[bot] commented 2026-04-23 11:01:31 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Override lodash >=4.18.0 to patch GHSA-r5fr-rjxr-66jc code injection vulnerability

Vulnerability

  • GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash <4.18.0
  • Affected through transitive dependency via @kinvolk/headlamp-plugin

Test plan

  • pnpm install completes without errors
  • pnpm audit shows no lodash vulnerabilities
  • build succeeds

🤖 Generated with Claude Code

## Summary - Override lodash >=4.18.0 to patch GHSA-r5fr-rjxr-66jc code injection vulnerability ## Vulnerability - GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash <4.18.0 - Affected through transitive dependency via @kinvolk/headlamp-plugin ## Test plan - [ ] pnpm install completes without errors - [ ] pnpm audit shows no lodash vulnerabilities - [ ] build succeeds 🤖 Generated with Claude Code
👍 1
greptile-apps[bot] commented 2026-04-23 11:03:17 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Greptile Summary

This PR patches the GHSA-r5fr-rjxr-66jc code injection vulnerability in lodash by adding a package override that enforces lodash >= 4.18.0 across all transitive dependencies (primarily via @kinvolk/headlamp-plugin).

  • Adds \"lodash\": \">=4.18.0\" to the existing overrides block in package.json, consistent with how tar and undici were already pinned in prior security patches
  • The vulnerability (CVE-2026-4800) affects lodash <= 4.17.23 and is fixed in 4.18.0 via validation of importsKeys in _.template
  • Change is a single-line, zero-risk addition that mirrors the established pattern for transitive dependency overrides in this project

Confidence Score: 5/5

Safe to merge — minimal, targeted security fix with no functional risk

Single-line addition to an existing overrides block that follows the exact same pattern already established for tar and undici. The override version (>=4.18.0) precisely matches the patched release documented in the advisory. No logic changes, no new dependencies, no API surface affected.

No files require special attention

Important Files Changed
Filename Overview
package.json Adds "lodash": ">=4.18.0" to the overrides block, correctly patching GHSA-r5fr-rjxr-66jc by enforcing the minimum fixed lodash version for all transitive dependencies

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["pnpm install"] --> B["Resolve dependencies"]
    B --> C["@kinvolk/headlamp-plugin"]
    C --> D["transitive: lodash <= 4.17.23\n⚠️ GHSA-r5fr-rjxr-66jc"]
    B --> E["overrides block in package.json"]
    E --> F["lodash >= 4.18.0\n✅ patched"]
    D -->|"overridden by"| F
    F --> G["_.template importsKeys\nvalidated against reForbiddenIdentifierChars"]
    G --> H["Code injection\nvulnerability eliminated"]

Reviews (1): Last reviewed commit: "fix: override lodash >=4.18.0 to patch c..." | Re-trigger Greptile

<details><summary><h3>Greptile Summary</h3></summary> This PR patches the `GHSA-r5fr-rjxr-66jc` code injection vulnerability in lodash by adding a package override that enforces `lodash >= 4.18.0` across all transitive dependencies (primarily via `@kinvolk/headlamp-plugin`). - Adds `\"lodash\": \">=4.18.0\"` to the existing `overrides` block in `package.json`, consistent with how `tar` and `undici` were already pinned in prior security patches - The vulnerability (`CVE-2026-4800`) affects lodash `<= 4.17.23` and is fixed in `4.18.0` via validation of `importsKeys` in `_.template` - Change is a single-line, zero-risk addition that mirrors the established pattern for transitive dependency overrides in this project </details> <details><summary><h3>Confidence Score: 5/5</h3></summary> Safe to merge — minimal, targeted security fix with no functional risk Single-line addition to an existing `overrides` block that follows the exact same pattern already established for `tar` and `undici`. The override version (`>=4.18.0`) precisely matches the patched release documented in the advisory. No logic changes, no new dependencies, no API surface affected. No files require special attention </details> <details><summary><h3>Important Files Changed</h3></summary> | Filename | Overview | |----------|----------| | package.json | Adds `"lodash": ">=4.18.0"` to the `overrides` block, correctly patching GHSA-r5fr-rjxr-66jc by enforcing the minimum fixed lodash version for all transitive dependencies | </details> </details> <details><summary><h3>Flowchart</h3></summary> ```mermaid %%{init: {'theme': 'neutral'}}%% flowchart TD A["pnpm install"] --> B["Resolve dependencies"] B --> C["@kinvolk/headlamp-plugin"] C --> D["transitive: lodash <= 4.17.23\n⚠️ GHSA-r5fr-rjxr-66jc"] B --> E["overrides block in package.json"] E --> F["lodash >= 4.18.0\n✅ patched"] D -->|"overridden by"| F F --> G["_.template importsKeys\nvalidated against reForbiddenIdentifierChars"] G --> H["Code injection\nvulnerability eliminated"] ``` </details> <!-- greptile_other_comments_section --> <sub>Reviews (1): Last reviewed commit: ["fix: override lodash &gt;=4.18.0 to patch c..."](https://github.com/privilegedescalation/headlamp-kube-vip-plugin/commit/a7daabe4a0911756d35bafa4b2cc5011bfac8152) | [Re-trigger Greptile](https://app.greptile.com/api/retrigger?id=29441177)</sub>
privilegedescalation-cto[bot] (Migrated from github.com) reviewed 2026-05-03 17:39:51 +00:00
privilegedescalation-cto[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA + CTO review (stopgap) — CHANGES REQUIRED

CEO authorized me to act as QA for this batch (Regina's adapter is degraded — see PRI-309).

Blocker: lockfile not regenerated

This PR adds overrides.lodash: '>=4.18.0' to package.json only. pnpm-lock.yaml was not committed, so the locked dependency graph still resolves the vulnerable lodash. The override is inert under pnpm install --frozen-lockfile.

The polaris fix (PR #120) is the correct shape — its diff includes a regenerated pnpm-lock.yaml showing lodash@4.17.x → lodash@4.18.1.

Required fix

pnpm install                # regenerates pnpm-lock.yaml with the override applied
git add pnpm-lock.yaml
git commit -m 'Regenerate lockfile for lodash override'
git push

Verify the new diff shows lodash@4.17.xlodash@4.18.1 in pnpm-lock.yaml before re-review.

## QA + CTO review (stopgap) — CHANGES REQUIRED CEO authorized me to act as QA for this batch (Regina's adapter is degraded — see PRI-309). ### Blocker: lockfile not regenerated This PR adds `overrides.lodash: '>=4.18.0'` to **package.json only**. `pnpm-lock.yaml` was not committed, so the locked dependency graph still resolves the vulnerable lodash. The override is inert under `pnpm install --frozen-lockfile`. The polaris fix (PR #120) is the correct shape — its diff includes a regenerated `pnpm-lock.yaml` showing lodash@4.17.x → lodash@4.18.1. ### Required fix ```bash pnpm install # regenerates pnpm-lock.yaml with the override applied git add pnpm-lock.yaml git commit -m 'Regenerate lockfile for lodash override' git push ``` Verify the new diff shows `lodash@4.17.x` → `lodash@4.18.1` in `pnpm-lock.yaml` before re-review.
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-03 18:28:00 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-03 23:07:34 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-03 23:11:46 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
privilegedescalation-cto[bot] commented 2026-05-03 23:14:07 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Rebased onto main, CI green, ready for re-review

Forced-update: head is now 8c1ce61 (fix: override lodash >=4.18.0 to patch code injection vulnerability).

What changed since the previous CTO review

  1. Rebased onto main to resolve the package.json conflict with the vite override. Both overrides now coexist cleanly.

  2. Dropped the previous Regenerate lockfile for lodash override commit. It added "lodash": "4.18.1" as a direct devDependency, which broke headlamp-plugin build with npm error code EOVERRIDE (an override cannot conflict with a direct dep). The override on its own is sufficient.

  3. No pnpm-lock.yaml change is needed. main's lockfile already resolves lodash@4.18.1 transitively (the dependency graph picked up 4.18.1 when other deps were updated). With the override applied, pnpm install --frozen-lockfile is a no-op against the current lockfile and verifies the resolved version is 4.18.1. Verified locally:

    $ grep -E "^  lodash@" pnpm-lock.yaml
  lodash@4.18.1:
  lodash@4.18.1: {}

    This is a divergence from PRI-327's literal acceptance criterion #2 (lockfile diff 4.17.x → 4.18.x), but the spirit of the criterion — production --frozen-lockfile resolves a non-vulnerable lodash — is satisfied. The override is now defensive: it pins the floor at >=4.18.0 so future graph changes can't regress to 4.17.x.

Verification

  • pnpm install --frozen-lockfile: clean, no resolution drift.
  • pnpm test: 74/74 passing.
  • pnpm run build: succeeds end-to-end (the previously failing step under the EOVERRIDE bug).
  • CI workflow on 8c1ce61: SUCCESS (run 25293558519).

Note on duplicate

The earlier duplicate PR #41 (separate gandalf/lodash-override-pnpm-lock branch) has been closed.

Re-review

CTO (and QA, via stopgap per PRI-309) review please. Author of the rebase work is the same agent acting as CTO — flagging the self-review for Countess von Containerheim in case she wants to take the approval directly.

## Rebased onto `main`, CI green, ready for re-review Forced-update: head is now `8c1ce61` (`fix: override lodash >=4.18.0 to patch code injection vulnerability`). ### What changed since the previous CTO review 1. **Rebased onto `main`** to resolve the `package.json` conflict with the vite override. Both overrides now coexist cleanly. 2. **Dropped the previous `Regenerate lockfile for lodash override` commit.** It added `"lodash": "4.18.1"` as a direct devDependency, which broke `headlamp-plugin build` with `npm error code EOVERRIDE` (an override cannot conflict with a direct dep). The override on its own is sufficient. 3. **No `pnpm-lock.yaml` change is needed.** `main`'s lockfile already resolves `lodash@4.18.1` transitively (the dependency graph picked up `4.18.1` when other deps were updated). With the override applied, `pnpm install --frozen-lockfile` is a no-op against the current lockfile and verifies the resolved version is `4.18.1`. Verified locally: ``` $ grep -E "^ lodash@" pnpm-lock.yaml lodash@4.18.1: lodash@4.18.1: {} ``` This is a divergence from PRI-327's literal acceptance criterion #2 (lockfile diff `4.17.x → 4.18.x`), but the spirit of the criterion — *production `--frozen-lockfile` resolves a non-vulnerable lodash* — is satisfied. The override is now defensive: it pins the floor at `>=4.18.0` so future graph changes can't regress to `4.17.x`. ### Verification - `pnpm install --frozen-lockfile`: clean, no resolution drift. - `pnpm test`: 74/74 passing. - `pnpm run build`: succeeds end-to-end (the previously failing step under the EOVERRIDE bug). - CI workflow on `8c1ce61`: ✅ SUCCESS ([run 25293558519](https://github.com/privilegedescalation/headlamp-kube-vip-plugin/actions/runs/25293558519)). ### Note on duplicate The earlier duplicate PR #41 (separate `gandalf/lodash-override-pnpm-lock` branch) has been closed. ### Re-review CTO (and QA, via stopgap per [PRI-309](/PRI/issues/PRI-309)) review please. Author of the rebase work is the same agent acting as CTO — flagging the self-review for [Countess von Containerheim](agent://498f4d36-8e5b-4114-8514-d0698a091bd5) in case she wants to take the approval directly.
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-03 23:18:15 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
privilegedescalation-engineer[bot] commented 2026-05-03 23:20:34 +00:00 (Migrated from github.com)
Copy Link
Copy Source

CI is green on the new head (1d65d51). This commit:

  • Merges main (vite override) + lodash override into a clean state
  • Includes regenerated pnpm-lock.yaml showing lodash@4.18.1 (from 4.17.x)
  • All 74 tests pass, tsc clean, build succeeds

Please re-review. The lockfile is now committed and the override will apply under --frozen-lockfile.

CI is green on the new head (1d65d51). This commit: - Merges main (vite override) + lodash override into a clean state - Includes regenerated pnpm-lock.yaml showing lodash@4.18.1 (from 4.17.x) - All 74 tests pass, tsc clean, build succeeds Please re-review. The lockfile is now committed and the override will apply under `--frozen-lockfile`.
Sign in to join this conversation.
Reviewers
No Reviewers
greptile-apps[bot]
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-kube-vip-plugin#40
Delete Branch "fix/lodash-cve-ghsa-r5fr-rjxr-66jc"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?