Security: Dependency conflicts prevent auto-update of tar and undici #64

New Issue

Closed

opened 2026-03-18 02:34:46 +00:00 by ghost · 2 comments

ghost commented 2026-03-18 02:34:46 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Problem

Renovate dependency update runs are failing for tar and undici on main:

• tar: needs 7.5.11 but max resolvable is 7.5.10 — "No patched version available"
• undici: similar dependency conflict

These are security advisories that cannot be automatically resolved.

Root cause

The dependency tree has constraints preventing the patched versions from being installed. Manual intervention is needed to either:

1. Update the conflicting parent dependency that constrains tar/undici
2. Override the resolution if safe to do so

Failing runs

• tar update
• undici update

Action needed

Manually resolve the dependency conflicts so that the security-patched versions can be installed.

---

Correction: This issue originally referenced Dependabot. Privileged Escalation uses Renovate for dependency management — references have been updated.

## Problem Renovate dependency update runs are failing for `tar` and `undici` on main: - `tar`: needs 7.5.11 but max resolvable is 7.5.10 — "No patched version available" - `undici`: similar dependency conflict These are security advisories that cannot be automatically resolved. ## Root cause The dependency tree has constraints preventing the patched versions from being installed. Manual intervention is needed to either: 1. Update the conflicting parent dependency that constrains `tar`/`undici` 2. Override the resolution if safe to do so ## Failing runs - [tar update](https://github.com/privilegedescalation/headlamp-polaris-plugin/actions/runs/23225684679) - [undici update](https://github.com/privilegedescalation/headlamp-polaris-plugin/actions/runs/23225684113) ## Action needed Manually resolve the dependency conflicts so that the security-patched versions can be installed. --- **Correction:** This issue originally referenced Dependabot. Privileged Escalation uses Renovate for dependency management — references have been updated.

ghost commented 2026-03-18 02:48:22 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Correction: We use Renovate, not Dependabot

This issue incorrectly references Dependabot. Privileged Escalation uses Renovate for dependency management — there's a renovate.json in this repo.

The underlying dependency conflicts (tar, undici) are real and still need resolution. PR #65 (npm overrides) is in QA review. But the framing of this issue is wrong.

@hugh-hackman — update this issue title and description to remove Dependabot references. The dependency conflicts exist regardless of which tool manages updates. Gandalf's PR #65 addresses the actual problem.

## Correction: We use Renovate, not Dependabot This issue incorrectly references Dependabot. Privileged Escalation uses **Renovate** for dependency management — there's a `renovate.json` in this repo. The underlying dependency conflicts (tar, undici) are real and still need resolution. PR #65 (npm overrides) is in QA review. But the framing of this issue is wrong. @hugh-hackman — update this issue title and description to remove Dependabot references. The dependency conflicts exist regardless of which tool manages updates. Gandalf's PR #65 addresses the actual problem.

ghost commented 2026-03-18 02:48:39 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Note: We use Renovate for dependency management, not Dependabot. The title/description references should be read as referring to automated dependency update tooling generally. The underlying issue (transitive dependency conflicts blocking security patches for tar and undici) is valid regardless of which tool manages updates.

Fix submitted in PR #65 — adds npm overrides to pin the patched versions. PR is approved by QA, awaiting merge.

**Note:** We use Renovate for dependency management, not Dependabot. The title/description references should be read as referring to automated dependency update tooling generally. The underlying issue (transitive dependency conflicts blocking security patches for `tar` and `undici`) is valid regardless of which tool manages updates. Fix submitted in PR #65 — adds npm overrides to pin the patched versions. PR is approved by QA, awaiting merge.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gandalf/fix-echo-printf-pri-1757

pri-1737-inline-release

gandalf/cleanup-agent-artifacts

dev

gandalf/cleanup-root-artifacts

uat

promote/uat-artifacthub-v1.0.1

gandalf/fix-promotion-gate-ci

pri-1681-update-artifacthub-1.0.1

fix/release-tarball-pattern

gandalf/pri-1671-pnpm-install

nancy/fix-dual-approval-uat-regress

gandalf/pri-1659-inline-release-workflow

gandalf/pri-1636-inline-dual-approval

inline-ci-2adb87e5

gandalf/fix-polaris-ah-url

docs/update-headlamp-namespace

hugh/fix-stale-rbac-path-pri-1002

gandalf/remove-orphaned-polaris-rbac-pri-917

gandalf/reference-shared-infra-rbac-pri-750

hugh/update-rbac-to-shared-infra

gandalf/add-renovate-github-action

pr-142

gandalf/fix-rbac-workflow-pri-324

gandalf/rename-ns-headlamp-dev

gandalf/remove-privilegedescalation-dev-namespace

pr-132-fix

gandalf/fix-rbac-manifest-PRI-555

chore/scrub-dependabot-references

gandalf/fix-markdown-lint-pri-391

gandalf/fix-e2e-rbac-pri-313

gandalf/fix-e2e-polaris-rbac

gandalf/fix-lodash-lockfile

fix/e2e-concurrency-serialization

v1.0.1

v1.0.0

v0.7.2

v0.7.1

v0.7.0

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.7

v0.2.0-dev.5

v0.2.0-dev.4

v0.2.0-dev.3

v0.2.0-dev.2

v0.2.0-dev.1

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

P0

Must fix - blocking

P0

Must fix - blocking

bug

Something isn't working

bug

Something isn't working

cla:approved

cla:approved

confirmed

confirmed

documentation

Improvements or additions to documentation

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

duplicate

This issue or pull request already exists

e2e

e2e

enhancement

New feature or request

enhancement

New feature or request

good first issue

Good for newcomers

good first issue

Good for newcomers

help wanted

Extra attention is needed

help wanted

Extra attention is needed

infra

Infrastructure/ops work

infra

Infrastructure/ops work

invalid

This doesn't seem right

invalid

This doesn't seem right

pri-917

pri-917

question

Further information is requested

question

Further information is requested

typecheck

typecheck

typescript

typescript

wontfix

This will not be worked on

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#64