fix: patch high-severity vulnerabilities in picomatch and vite (#128)
* chore: replace Dependabot references with Renovate - SECURITY.md: update to mention Renovate (org-wide Mend Renovate) - PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config) Closes PRI-389. Parent PRI-387. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities Resolves 3 high-severity vulnerabilities from pnpm audit: - GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4) - GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket - GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection). Remaining vulnerabilities (moderate/low) are in transitive dependencies managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config which require upstream updates to those packages. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit was merged in pull request #128.
This commit is contained in:
privilegedescalation-engineer[bot]
committed by
GitHub
GitHub
parent
202ce66c61
commit
aa1db9215a
+1
-1
@@ -212,7 +212,7 @@ If you discover a security vulnerability in this plugin, please report it via:
|
||||
|
||||
The project uses:
|
||||
- **npm audit**: Runs automatically during `npm install`
|
||||
- **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates
|
||||
- **Renovate**: Automated dependency updates via Mend Renovate (org-wide configured)
|
||||
- **GitHub Actions**: CI workflow runs `npm audit` on every commit
|
||||
|
||||
### Updating Dependencies
|
||||
|
||||
Reference in New Issue
Block a user