From a7daabe4a0911756d35bafa4b2cc5011bfac8152 Mon Sep 17 00:00:00 2001
From: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Date: Thu, 23 Apr 2026 10:58:22 +0000
Subject: [PATCH] fix: override lodash >=4.18.0 to patch code injection
 vulnerability

GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 package.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 6c5a94d..cac52b1 100644
--- a/package.json
+++ b/package.json
@@ -31,7 +31,8 @@
   },
   "overrides": {
     "tar": "^7.5.11",
-    "undici": "^7.24.3"
+    "undici": "^7.24.3",
+    "lodash": ">=4.18.0"
   },
   "devDependencies": {
     "@headlamp-k8s/eslint-config": "^0.6.0",
-- 
2.52.0