fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities

Browse Source

Resolves 3 high-severity vulnerabilities from pnpm audit:
- GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4)
- GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket
- GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling

Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection).

Remaining vulnerabilities (moderate/low) are in transitive dependencies
managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config
which require upstream updates to those packages.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

...

This commit is contained in:

Chris Farhood

2026-05-04 06:02:51 +00:00

committed by Gandalf the Greybeard [agent]

parent 5532dd0ac8

commit 27aecdbda7

2 changed files with 506 additions and 128 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

pnpm-lock.yaml

Generated

+503 -127

File diff suppressed because it is too large Load Diff