fix: override elliptic for GHSA-848j-6mx2-7j84

privilegedescalation/headlamp-polaris-plugin

Archived

* fix: add elliptic override for GHSA-848j-6mx2-7j84

Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic

Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* chore: regenerate pnpm-lock.yaml with elliptic override

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>

This commit was merged in pull request #142.

This commit is contained in:

privilegedescalation-engineer[bot]

2026-05-06 02:14:10 +00:00

committed by

GitHub

parent 2d629809a2

commit 7a0c068a93

2 changed files with 3 additions and 1 deletions

									
										package.json
									
		+2
		-1
	
												View File
												
				@@ -38,7 +38,8 @@

				      "flatted": "^3.4.2",

				      "lodash": ">=4.18.0",

				      "picomatch": ">=4.0.4",

				      "vite": ">=6.4.2"

				      "vite": ">=6.4.2",

				      "elliptic": ">=6.6.1"

				    }

				  },

				  "devDependencies": {