From 7a0c068a93c07c864cad28d0e4dd25cdef29b7cf Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Wed, 6 May 2026 02:14:10 +0000
Subject: [PATCH] fix: override elliptic for GHSA-848j-6mx2-7j84
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: add elliptic override for GHSA-848j-6mx2-7j84

Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic

Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* chore: regenerate pnpm-lock.yaml with elliptic override

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 package.json   | 3 ++-
 pnpm-lock.yaml | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 53e3789..059fa7d 100644
--- a/package.json
+++ b/package.json
@@ -38,7 +38,8 @@
       "flatted": "^3.4.2",
       "lodash": ">=4.18.0",
       "picomatch": ">=4.0.4",
-      "vite": ">=6.4.2"
+      "vite": ">=6.4.2",
+      "elliptic": ">=6.6.1"
     }
   },
   "devDependencies": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index c7d8113..aff7413 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -11,6 +11,7 @@ overrides:
   lodash: '>=4.18.0'
   picomatch: '>=4.0.4'
   vite: '>=6.4.2'
+  elliptic: '>=6.6.1'
 
 importers: