privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix: override lodash >=4.18.0 to patch code injection vulnerability #120

Merged
privilegedescalation-engineer[bot] merged 8 commits from fix/lodash-cve-ghsa-r5fr-rjxr-66jc into main 2026-05-03 17:43:59 +00:00
Conversation 3 Commits 8 Files Changed 2
+17 -15

8 Commits

Author SHA1 Message Date
Gandalf the Greybeard 270c918833 ci: re-test original code to verify baseline 2026-04-27 00:52:07 +00:00
Gandalf the Greybeard 690723317e fix(e2e): hybrid approach - unscoped headings, main-scoped text 
Use broader heading selectors matching intel-gpu pattern, but
keep text checks scoped to main element to avoid sidebar conflicts.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-27 00:46:30 +00:00
Gandalf the Greybeard 10b6f8e7e0 fix(e2e): use [role=main] instead of main element 
Switch from 'main' element selector to '[role="main"]' attribute
selector for better compatibility with Headlamp's app structure.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-27 00:36:29 +00:00
Gandalf the Greybeard a9793e3c2d ci: trigger fresh E2E run 
Re-pushing to trigger a new CI run since the last E2E was cancelled.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-27 00:29:34 +00:00
Gandalf the Greybeard 82f79357dc fix(e2e): scope remaining getByText to main element 
The 'Cluster Score' text matcher was still searching the entire page
instead of being scoped to the main content area. This could cause
false positives if the same text appears in the sidebar.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-27 00:10:59 +00:00
Gandalf the Greybeard 8f4abcf975 fix(e2e): scope heading locators to main content area 
Fix E2E test failures by scoping heading locators to the main
content area instead of searching the entire page. This prevents
matching headings in the sidebar or other non-content areas.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-26 23:58:24 +00:00
Gandalf the Greybeard e5737f8b7f fix: update pnpm-lock.yaml to satisfy lodash override 
The package.json pnpm.overrides requires lodash >=4.18.0, but the lockfile
had an older version. Regenerated lockfile with pnpm install.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-26 21:33:05 +00:00
Gandalf the Greybeard 354093b900 fix: override lodash >=4.18.0 to patch code injection vulnerability 
GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-04-23 10:58:22 +00:00