Chris Farhood
9b9c503521
Co-authored-by: Chris Farhood <chris@farhood.org> Co-committed-by: Chris Farhood <chris@farhood.org>
2.0 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| latest | Yes |
Plugin Scope
This plugin is read-only. It does not perform any write operations against the Kubernetes cluster. It reads:
- Services (type: LoadBalancer)
- Nodes
- Pods in
headlamp - DaemonSets in
headlamp - Leases in
headlamp - ConfigMaps in
headlamp
All data is fetched through Headlamp's built-in API proxy, which respects the user's existing RBAC permissions.
Reporting a Vulnerability
Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
Known Low-Severity Vulnerabilities
GHSA-848j-6mx2-7j84 (elliptic)
Severity: High (but not exploitable in this plugin's context)
Affected component: elliptic (transitive, via vite-plugin-node-polyfills → node-stdlib-browser → crypto-browserify → browserify-sign)
Description: The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a read-only Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
- Use of
ellipticcurve operations on untrusted input, AND - Ability for an attacker to influence the
ellipticcurve key generation input
Neither condition is met in this plugin's runtime context.
Remediation: No patched version of elliptic exists on npm. The current override in package.json ("elliptic": ">=6.6.1") is a placeholder — no resolvable version satisfies this constraint.
Risk acceptance rationale:
- Plugin has no write operations against the cluster
- All data flows through Headlamp's API proxy with standard RBAC enforcement
- The vulnerable dependency is only in the development/build toolchain, not runtime
- No untrusted input can reach
ellipticcurve operations through this plugin
Review date: 2026-05-05 Reviewed by: Hugh Hackman (VP Engineering Operations)