Upgraded @kinvolk/headlamp-plugin from ^0.13.0 to ^0.14.0 and added
fast-uri >=3.1.2 to pnpm overrides to address:
- GHSA-q3j6-qgpj-74h6 (fast-uri path traversal, patched in >=3.1.1)
- GHSA-v39h-62p7-jpjc (fast-uri host confusion, patched in >=3.1.2)
Remaining 6 vulnerabilities (1 low, 5 moderate) are in transitive deps
without direct override paths and do not affect production runtime.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The lockfile was out of sync with package.json after playwright removal,
causing CI to fail with --frozen-lockfile.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* chore: replace Dependabot references with Renovate
- SECURITY.md: update to mention Renovate (org-wide Mend Renovate)
- PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config)
Closes PRI-389. Parent PRI-387.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities
Resolves 3 high-severity vulnerabilities from pnpm audit:
- GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4)
- GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket
- GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling
Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection).
Remaining vulnerabilities (moderate/low) are in transitive dependencies
managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config
which require upstream updates to those packages.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* fix: override lodash >=4.18.0 to patch code injection vulnerability
GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: update pnpm-lock.yaml to satisfy lodash override
The package.json pnpm.overrides requires lodash >=4.18.0, but the lockfile
had an older version. Regenerated lockfile with pnpm install.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): scope heading locators to main content area
Fix E2E test failures by scoping heading locators to the main
content area instead of searching the entire page. This prevents
matching headings in the sidebar or other non-content areas.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): scope remaining getByText to main element
The 'Cluster Score' text matcher was still searching the entire page
instead of being scoped to the main content area. This could cause
false positives if the same text appears in the sidebar.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: trigger fresh E2E run
Re-pushing to trigger a new CI run since the last E2E was cancelled.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use [role=main] instead of main element
Switch from 'main' element selector to '[role="main"]' attribute
selector for better compatibility with Headlamp's app structure.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): hybrid approach - unscoped headings, main-scoped text
Use broader heading selectors matching intel-gpu pattern, but
keep text checks scoped to main element to avoid sidebar conflicts.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: re-test original code to verify baseline
---------
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
pnpm strict mode does not hoist transitive deps. @headlamp-k8s/eslint-config
was only available via @kinvolk/headlamp-plugin, causing ESLint to fail with
"Cannot find config @headlamp-k8s/eslint-config to extend from". Adding it
as a direct devDependency makes it accessible at the root node_modules level.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm strict mode does not expose transitive dependency binaries.
Adding prettier@^2.8.8 alongside eslint@^8.57.0 so that
pnpm run format:check works in CI without 'prettier: not found'.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pnpm's strict node_modules layout does not expose transitive dependency
binaries. eslint was only a transitive dep via @kinvolk/headlamp-plugin,
causing 'eslint: not found' when running pnpm run lint in CI.
Adding eslint@^8.57.0 as a direct devDependency ensures the binary is
available in node_modules/.bin/ under pnpm.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move vulnerability overrides from npm-format top-level `overrides` to
pnpm-format `pnpm.overrides`. Add flatted override to patch the
high-severity prototype pollution CVE. All 5 high + 3 moderate severity
issues are now resolved.
Remaining: elliptic (low, no patch available upstream).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm run tsc failed with "tsc not found" because typescript was only
available as a transitive dependency from @kinvolk/headlamp-plugin.
Adding it explicitly as a direct devDependency ensures tsc is always
accessible regardless of pnpm hoisting behavior.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds missing TypeScript type declarations for React and React-DOM as devDependencies.
QA-approved by Regression Regina.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
vitest, @testing-library/react, @testing-library/user-event,
@testing-library/jest-dom, jsdom, react, react-dom, @mui/material,
and react-router-dom were all used directly but only available as
transitive dependencies through @kinvolk/headlamp-plugin. pnpm's
strict module resolution prevented them from being resolved.
Also adds process.env.NODE_ENV="test" to vitest config so React
loads its development build (required for act() support in tests).
Fixes#27
Co-authored-by: gandalf-the-greybeard[bot] <gandalf-the-greybeard[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
privilegedescalation-engineer[bot]
Chris Farhood