privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix: patch high-severity vulnerabilities in picomatch and vite #128

Merged
privilegedescalation-engineer[bot] merged 2 commits from gandalf/fix-vulns-picomatch-vite into main 2026-05-04 11:01:53 +00:00
Conversation 8 Commits 2 Files Changed 4
+508 -130

2 Commits

Author SHA1 Message Date
Chris Farhood 27aecdbda7 fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities 
Resolves 3 high-severity vulnerabilities from pnpm audit:
- GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4)
- GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket
- GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling

Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection).

Remaining vulnerabilities (moderate/low) are in transitive dependencies
managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config
which require upstream updates to those packages.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-04 10:56:09 +00:00
Chris Farhood 5532dd0ac8 chore: replace Dependabot references with Renovate 
- SECURITY.md: update to mention Renovate (org-wide Mend Renovate)
- PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config)

Closes PRI-389. Parent PRI-387.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-04 10:56:09 +00:00