Upgraded @kinvolk/headlamp-plugin from ^0.13.0 to ^0.14.0 and added
fast-uri >=3.1.2 to pnpm overrides to address:
- GHSA-q3j6-qgpj-74h6 (fast-uri path traversal, patched in >=3.1.1)
- GHSA-v39h-62p7-jpjc (fast-uri host confusion, patched in >=3.1.2)
Remaining 6 vulnerabilities (1 low, 5 moderate) are in transitive deps
without direct override paths and do not affect production runtime.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* chore: replace Dependabot references with Renovate
- SECURITY.md: update to mention Renovate (org-wide Mend Renovate)
- PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config)
Closes PRI-389. Parent PRI-387.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities
Resolves 3 high-severity vulnerabilities from pnpm audit:
- GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4)
- GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket
- GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling
Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection).
Remaining vulnerabilities (moderate/low) are in transitive dependencies
managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config
which require upstream updates to those packages.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* fix: override lodash >=4.18.0 to patch code injection vulnerability
GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: update pnpm-lock.yaml to satisfy lodash override
The package.json pnpm.overrides requires lodash >=4.18.0, but the lockfile
had an older version. Regenerated lockfile with pnpm install.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): scope heading locators to main content area
Fix E2E test failures by scoping heading locators to the main
content area instead of searching the entire page. This prevents
matching headings in the sidebar or other non-content areas.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): scope remaining getByText to main element
The 'Cluster Score' text matcher was still searching the entire page
instead of being scoped to the main content area. This could cause
false positives if the same text appears in the sidebar.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: trigger fresh E2E run
Re-pushing to trigger a new CI run since the last E2E was cancelled.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use [role=main] instead of main element
Switch from 'main' element selector to '[role="main"]' attribute
selector for better compatibility with Headlamp's app structure.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): hybrid approach - unscoped headings, main-scoped text
Use broader heading selectors matching intel-gpu pattern, but
keep text checks scoped to main element to avoid sidebar conflicts.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: re-test original code to verify baseline
---------
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
- Bump version to 1.0.0 in package.json and package-lock.json
- Update artifacthub-pkg.yml: version, archive-url, and changes section
- Add v1.0.0 CHANGELOG entry covering changes since v0.7.2
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: add packageManager field to pin pnpm version
Pins pnpm@10.32.1 via the packageManager field. This allows
pnpm/action-setup@v4 to resolve the version from package.json instead
of relying on `version: latest`, preventing silent breakage on major
pnpm version bumps.
Fixes: PRI-674
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: trigger fresh CI run after Corepack fix merges in .github PR #57
The shared plugin-ci.yaml now uses Corepack when packageManager field
is set, avoiding the 'Multiple versions of pnpm specified' error.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: retrigger CI with updated shared workflow (python3 pnpm detection)
---------
Co-authored-by: Hugh Hackman <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: privilegedescalation-ceo[bot] <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.paperclip.ing>
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.com>
pnpm strict mode does not hoist transitive deps. @headlamp-k8s/eslint-config
was only available via @kinvolk/headlamp-plugin, causing ESLint to fail with
"Cannot find config @headlamp-k8s/eslint-config to extend from". Adding it
as a direct devDependency makes it accessible at the root node_modules level.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm strict mode does not expose transitive dependency binaries.
Adding prettier@^2.8.8 alongside eslint@^8.57.0 so that
pnpm run format:check works in CI without 'prettier: not found'.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pnpm's strict node_modules layout does not expose transitive dependency
binaries. eslint was only a transitive dep via @kinvolk/headlamp-plugin,
causing 'eslint: not found' when running pnpm run lint in CI.
Adding eslint@^8.57.0 as a direct devDependency ensures the binary is
available in node_modules/.bin/ under pnpm.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move vulnerability overrides from npm-format top-level `overrides` to
pnpm-format `pnpm.overrides`. Add flatted override to patch the
high-severity prototype pollution CVE. All 5 high + 3 moderate severity
issues are now resolved.
Remaining: elliptic (low, no patch available upstream).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm run tsc failed with "tsc not found" because typescript was only
available as a transitive dependency from @kinvolk/headlamp-plugin.
Adding it explicitly as a direct devDependency ensures tsc is always
accessible regardless of pnpm hoisting behavior.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Dependabot security update runs are failing because it cannot resolve
patched versions of tar (>=7.5.11) and undici (>=7.24.0) through
transitive dependency chains. While npm overrides already mitigate the
vulnerabilities locally, Dependabot's resolver doesn't honor overrides.
Adding these as explicit devDependencies lets Dependabot see and
resolve the patched versions directly.
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The dependency tree through @kinvolk/headlamp-plugin constrains tar
(via pluginctl) and undici (via cheerio/i18next-parser). While the
lockfile currently resolves to patched versions, Dependabot cannot
auto-update these transitive deps. Adding explicit overrides ensures
tar>=7.5.11 and undici>=7.24.3 are always resolved, preventing
future Dependabot failures.
Fixes#64
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds missing TypeScript type declarations for React and React-DOM as devDependencies.
QA-approved by Regression Regina.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Updates package.json and artifacthub-pkg.yml for the v0.7.0 release.
Includes all changes since v0.6.0:
- RBAC fix for Polaris dashboard proxy access (PR #22)
- Settings test selector fix (PR #22)
- Package name correction from solaris to polaris (PR #26)
- E2E preflight check (PR #24)
- Missing test dependencies (PR #28)
Co-authored-by: gandalf-the-greybeard[bot] <gandalf-the-greybeard[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
vitest, @testing-library/react, @testing-library/user-event,
@testing-library/jest-dom, jsdom, react, react-dom, @mui/material,
and react-router-dom were all used directly but only available as
transitive dependencies through @kinvolk/headlamp-plugin. pnpm's
strict module resolution prevented them from being resolved.
Also adds process.env.NODE_ENV="test" to vitest config so React
loads its development build (required for act() support in tests).
Fixes#27
Co-authored-by: gandalf-the-greybeard[bot] <gandalf-the-greybeard[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* ci: add E2E preflight check for Headlamp connectivity and plugin version
Adds a diagnostic step before E2E tests that:
- Logs the expected plugin version from package.json
- Verifies Headlamp is reachable (fails fast if not)
- Attempts to list installed plugins for debugging
This surfaces version mismatches and connectivity issues immediately
instead of requiring analysis of cryptic test timeout failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: correct package name from headlamp-solaris to headlamp-polaris
The package name was misspelled as "solaris" instead of "polaris" in
artifacthub-pkg.yml, package.json, and package-lock.json.
Fixes PRI-49
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: correct package name from headlamp-solaris to headlamp-polaris
Fixes the ArtifactHub package name typo introduced in 0.6.0.
Only changes the name field in artifacthub-pkg.yml, package.json,
and package-lock.json. No dependency or workflow changes.
Fixes#25
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: gandalf-the-greybeard[bot] <gandalf-the-greybeard[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Update package name and Artifact Hub repository ID to reflect the
rename from polaris to headlamp-solaris (new ID: 0243bdaf-c926-44dc-b411-a7c291bf1fcd).
Files updated:
- package.json: name polaris -> headlamp-solaris
- package-lock.json: name polaris -> headlamp-solaris
- artifacthub-pkg.yml: name headlamp-polaris-plugin -> headlamp-solaris
- artifacthub-repo.yml: repositoryID updated to new ID
Co-authored-by: gandalf-the-greybeard[bot] <gandalf-the-greybeard[bot]@users.noreply.github.com>
* chore: bump version to 0.3.11
* fix: update owner references from cpfarhood to privilegedescalation
- Updated artifacthub-repo.yml owner
- Updated artifacthub-pkg.yml maintainer
- Updated package.json author
Part of organization migration from cpfarhood to privilegedescalation.
Repository transferred from cpfarhood to privilegedescalation organization.
Updated all references in:
- Configuration files (package.json, artifacthub-pkg.yml)
- Documentation (README, CONTRIBUTING, SECURITY, docs/)
- Workflow files
GitHub Actions workflows will continue to work as they use
${{ github.repository }} which auto-updates.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Update package.json name field to show cleaner name in Headlamp Settings → Plugins.
Before: headlamp-polaris-plugin
After: polaris
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Happy <yesreply@happy.engineering>
- Update package.json version
- Update artifacthub-pkg.yml version and archive URL
- Add PROJECT_ASSESSMENT.md for tracking improvements
- Add deployment/ directory with plugin loading fix documentation
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Major new features:
- App bar score badge showing cluster Polaris score
- Inline audit results in Deployment/StatefulSet/DaemonSet/Job/CronJob detail views
- Exemption management UI with annotation PATCH support
- Top issues table on overview dashboard
- Audit time display and manual refresh button
- Connection test button in settings
- Check ID to human-readable name mapping
- Enhanced error messages with context
Technical improvements:
- Added triggerRefresh to PolarisDataContext for manual refresh
- Created checkMapping.ts for check metadata
- Created topIssues.ts for extracting common failures
- Enhanced DashboardView with top issues and refresh
- Enhanced PolarisSettings with connection test
- Created InlineAuditSection for details view integration
- Created AppBarScoreBadge for app bar integration
- Created ExemptionManager for annotation patches
UI enhancements:
- 1000px namespace detail panel
- Theme-aware styling throughout
- Improved formatting and layout
- Better status indicators
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
- Fix namespace detail panel to follow system dark/light theme
- Use proper CSS custom properties for background and text colors
- Fix plugin settings registration (remove deprecated third parameter)
- Ensure close button and headers respect theme colors
- Version bump to 0.2.5
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
- Add isFullUrl() helper to detect full vs proxy URLs
- Support both K8s proxy URLs and direct HTTP/HTTPS URLs
- Use fetch() for full URLs, ApiProxy for K8s proxy URLs
- Improve error messages with context-specific guidance
- Update settings with examples for both URL types
- Version bump to 0.2.3
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
- Add getDashboardUrl() and setDashboardUrl() functions to polaris.ts
- Update PolarisSettings with dashboard URL input field
- Replace hardcoded POLARIS_DASHBOARD_PROXY with configurable getPolarisProxyUrl()
- Increase namespace detail panel width to 800px
- Remove unused 'Skipped' field from overview dashboard
- Version bump to 0.2.2
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
privilegedescalation-engineer[bot]
Chris Farhood