chore: regenerate pnpm-lock.yaml with elliptic override

Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic

Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/e2e.yaml

@@ -51,9 +51,6 @@ jobs:
       - name: Build plugin
         run: npx @kinvolk/headlamp-plugin build
 
-      - name: Apply RBAC for E2E runner
-        run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
-
       - name: Deploy E2E Headlamp instance
         run: scripts/deploy-e2e-headlamp.sh
 

deployment/e2e-ci-runner-rbac.yaml

@@ -1,37 +1,40 @@
 ---
-# e2e-ci-runner-rbac.yaml
+# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
+# CI-only test fixture — NOT for production use.
 #
-# Grants the GitHub Actions runner's service account (Arc Runners) the minimum
+# Grants the ARC runner service account permissions in the headlamp-dev
-# permissions needed to deploy/teardown an E2E Headlamp instance in the
+# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
-# headlamp-dev namespace (override via E2E_NAMESPACE when needed).
+# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
 #
-# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs.
+# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
+#
+# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
+# and managed by Flux GitOps. The infra repo is the source of truth.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: e2e-ci-runner
   namespace: headlamp-dev
 rules:
-  - apiGroups: ["rbac.authorization.k8s.io"]
+  # Helm needs to manage these resources for the Headlamp chart
-    resources: ["roles", "rolebindings"]
-    verbs: ["get", "list", "watch", "create", "delete"]
-  - apiGroups: [""]
-    resources: ["configmaps", "serviceaccounts", "events"]
-    verbs: ["get", "list", "create", "delete"]
   - apiGroups: ["apps"]
     resources: ["deployments"]
-    verbs: ["get", "create", "delete"]
+    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
   - apiGroups: [""]
-    resources: ["services"]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
-    verbs: ["get", "create", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "watch"]
+  # Token creation for E2E test auth
+  - apiGroups: [""]
+    resources: ["serviceaccounts/token"]
+    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: e2e-ci-runner
+  name: e2e-ci-runner-binding
   namespace: headlamp-dev
 subjects:
   - kind: ServiceAccount

package.json

@@ -38,7 +38,8 @@
       "flatted": "^3.4.2",
       "lodash": ">=4.18.0",
       "picomatch": ">=4.0.4",
-      "vite": ">=6.4.2"
+      "vite": ">=6.4.2",
+      "elliptic": ">=6.6.1"
     }
   },
   "devDependencies": {

pnpm-lock.yaml

@@ -11,6 +11,7 @@ overrides:
   lodash: '>=4.18.0'
   picomatch: '>=4.0.4'
   vite: '>=6.4.2'
+  elliptic: '>=6.6.1'
 
 importers: