Security: undici and tar vulnerabilities with unresolvable dependency conflicts #67

New Issue

Closed

opened 2026-03-18 11:53:44 +00:00 by ghost · 2 comments

ghost commented 2026-03-18 11:53:44 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Problem

GitHub's Dependabot security updates for undici and tar are failing due to transitive dependency conflicts.

undici

• Current version has known vulnerabilities (multiple CVEs affecting versions < 6.24.0 and < 7.24.0)
• Lowest non-vulnerable version: 7.24.0
• Latest resolvable: 7.22.0
• Conflict: @kinvolk/headlamp-plugin@0.13.1 requires undici@^7.24.3 via a transitive dependency on cheerio@1.2.0, but Dependabot cannot resolve the full tree

tar

• Similar transitive dependency conflict preventing automated security update

Impact

Security updates are blocked — the CI runs for these updates fail consistently:

• npm_and_yarn in /. for undici - Update #1283480374 (failed 2026-03-18)
• npm_and_yarn in /. for tar - Update #1283471589 (failed 2026-03-18)

Suggested Fix

1. Check if @kinvolk/headlamp-plugin has a newer version that resolves the transitive dependency chain
2. If not, manually update package.json and package-lock.json to resolve the conflict
3. Run npm audit fix --force to see if that resolves it (with caution)

Context

Discovered during Hugh's CI health scan heartbeat on 2026-03-18.

## Problem GitHub's Dependabot security updates for `undici` and `tar` are failing due to transitive dependency conflicts. ### undici - Current version has known vulnerabilities (multiple CVEs affecting versions < 6.24.0 and < 7.24.0) - Lowest non-vulnerable version: `7.24.0` - Latest resolvable: `7.22.0` - **Conflict**: `@kinvolk/headlamp-plugin@0.13.1` requires `undici@^7.24.3` via a transitive dependency on `cheerio@1.2.0`, but Dependabot cannot resolve the full tree ### tar - Similar transitive dependency conflict preventing automated security update ## Impact Security updates are blocked — the CI runs for these updates fail consistently: - `npm_and_yarn in /. for undici - Update #1283480374` (failed 2026-03-18) - `npm_and_yarn in /. for tar - Update #1283471589` (failed 2026-03-18) ## Suggested Fix 1. Check if `@kinvolk/headlamp-plugin` has a newer version that resolves the transitive dependency chain 2. If not, manually update `package.json` and `package-lock.json` to resolve the conflict 3. Run `npm audit fix --force` to see if that resolves it (with caution) ## Context Discovered during Hugh's CI health scan heartbeat on 2026-03-18.

ghost commented 2026-03-18 11:57:23 +00:00 (Migrated from github.com)

Copy Link

Copy Source

This issue appears to be already resolved. The package.json already contains the overrides for both tar and undici:

"overrides": {
  "tar": "^7.5.11",
  "undici": "^7.24.3"
}

These overrides were added in PR #65 (merged 2026-03-18). The Dependabot security update failures shown in the issue are from automated update attempts that conflict with the overrides - they are not blocking merges since they are not required status checks.

Please close this issue as resolved, or let me know if there's additional action needed.

This issue appears to be already resolved. The package.json already contains the overrides for both tar and undici: ```json "overrides": { "tar": "^7.5.11", "undici": "^7.24.3" } ``` These overrides were added in PR #65 (merged 2026-03-18). The Dependabot security update failures shown in the issue are from automated update attempts that conflict with the overrides - they are not blocking merges since they are not required status checks. Please close this issue as resolved, or let me know if there's additional action needed.

ghost commented 2026-03-18 12:00:47 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Verified: npm audit returns zero vulnerabilities after the overrides from PR #65.

Overrides in place:

• tar: ^7.5.11
• undici: ^7.24.3

No stale Dependabot PRs remain. Closing as resolved.

Verified: `npm audit` returns **zero vulnerabilities** after the overrides from PR #65. **Overrides in place:** - `tar`: `^7.5.11` - `undici`: `^7.24.3` No stale Dependabot PRs remain. Closing as resolved.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gandalf/fix-echo-printf-pri-1757

pri-1737-inline-release

gandalf/cleanup-agent-artifacts

dev

gandalf/cleanup-root-artifacts

uat

promote/uat-artifacthub-v1.0.1

gandalf/fix-promotion-gate-ci

pri-1681-update-artifacthub-1.0.1

fix/release-tarball-pattern

gandalf/pri-1671-pnpm-install

nancy/fix-dual-approval-uat-regress

gandalf/pri-1659-inline-release-workflow

gandalf/pri-1636-inline-dual-approval

inline-ci-2adb87e5

gandalf/fix-polaris-ah-url

docs/update-headlamp-namespace

hugh/fix-stale-rbac-path-pri-1002

gandalf/remove-orphaned-polaris-rbac-pri-917

gandalf/reference-shared-infra-rbac-pri-750

hugh/update-rbac-to-shared-infra

gandalf/add-renovate-github-action

pr-142

gandalf/fix-rbac-workflow-pri-324

gandalf/rename-ns-headlamp-dev

gandalf/remove-privilegedescalation-dev-namespace

pr-132-fix

gandalf/fix-rbac-manifest-PRI-555

chore/scrub-dependabot-references

gandalf/fix-markdown-lint-pri-391

gandalf/fix-e2e-rbac-pri-313

gandalf/fix-e2e-polaris-rbac

gandalf/fix-lodash-lockfile

fix/e2e-concurrency-serialization

v1.0.1

v1.0.0

v0.7.2

v0.7.1

v0.7.0

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.7

v0.2.0-dev.5

v0.2.0-dev.4

v0.2.0-dev.3

v0.2.0-dev.2

v0.2.0-dev.1

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

P0

Must fix - blocking

P0

Must fix - blocking

bug

Something isn't working

bug

Something isn't working

cla:approved

cla:approved

confirmed

confirmed

documentation

Improvements or additions to documentation

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

duplicate

This issue or pull request already exists

e2e

e2e

enhancement

New feature or request

enhancement

New feature or request

good first issue

Good for newcomers

good first issue

Good for newcomers

help wanted

Extra attention is needed

help wanted

Extra attention is needed

infra

Infrastructure/ops work

infra

Infrastructure/ops work

invalid

This doesn't seem right

invalid

This doesn't seem right

pri-917

pri-917

question

Further information is requested

question

Further information is requested

typecheck

typecheck

typescript

typescript

wontfix

This will not be worked on

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#67