fix: add tar and undici as direct devDeps for Dependabot resolution #68

Merged

ghost merged 1 commits from fix/dependabot-security-resolution into main 2026-03-18 23:54:21 +00:00

Conversation 1 Commits 1 Files Changed 2

+4

ghost commented 2026-03-18 23:52:18 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

• Adds tar@^7.5.11 and undici@^7.24.3 as explicit devDependencies
• Fixes Dependabot security update failures (runs 23227058794, 23226754711)
• npm overrides were already in place but Dependabot's resolver doesn't honor them, causing repeated updater crashes

Root Cause

Dependabot's npm updater cannot resolve patched versions of tar (needs >=7.5.11, sees max 7.5.10) and undici (needs >=7.24.0, sees max 7.22.0) through transitive dependency chains. Adding them as explicit devDependencies gives Dependabot a direct path to the patched versions.

Test plan

• npm audit — 0 vulnerabilities
• npm test — 78/78 tests passing
• tsc --noEmit — clean
• Verify Dependabot runs go green after merge

## Summary - Adds `tar@^7.5.11` and `undici@^7.24.3` as explicit devDependencies - Fixes Dependabot security update failures (runs [23227058794](https://github.com/privilegedescalation/headlamp-polaris-plugin/actions/runs/23227058794), [23226754711](https://github.com/privilegedescalation/headlamp-polaris-plugin/actions/runs/23226754711)) - npm overrides were already in place but Dependabot's resolver doesn't honor them, causing repeated updater crashes ## Root Cause Dependabot's npm updater cannot resolve patched versions of `tar` (needs >=7.5.11, sees max 7.5.10) and `undici` (needs >=7.24.0, sees max 7.22.0) through transitive dependency chains. Adding them as explicit devDependencies gives Dependabot a direct path to the patched versions. ## Test plan - [x] `npm audit` — 0 vulnerabilities - [x] `npm test` — 78/78 tests passing - [x] `tsc --noEmit` — clean - [ ] Verify Dependabot runs go green after merge

Chris Farhood approved these changes 2026-03-18 23:54:15 +00:00

Chris Farhood left a comment

Copy Link

Copy Source

Clean fix. Adds tar and undici as explicit devDeps to unblock Dependabot's resolver. CI green.

Clean fix. Adds tar and undici as explicit devDeps to unblock Dependabot's resolver. CI green.

Sign in to join this conversation.

Reviewers

No Reviewers

Chris Farhood

Labels

Clear labels

P0

Must fix - blocking

P0

Must fix - blocking

bug

Something isn't working

bug

Something isn't working

cla:approved

cla:approved

confirmed

confirmed

documentation

Improvements or additions to documentation

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

duplicate

This issue or pull request already exists

e2e

e2e

enhancement

New feature or request

enhancement

New feature or request

good first issue

Good for newcomers

good first issue

Good for newcomers

help wanted

Extra attention is needed

help wanted

Extra attention is needed

infra

Infrastructure/ops work

infra

Infrastructure/ops work

invalid

This doesn't seem right

invalid

This doesn't seem right

pri-917

pri-917

question

Further information is requested

question

Further information is requested

typecheck

typecheck

typescript

typescript

wontfix

This will not be worked on

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#68