privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix: resolve 2 high-severity fast-uri CVEs in dev dependencies (PRI-521) #159

Merged
privilegedescalation-engineer[bot] merged 1 commits from fix/pri-521-fast-uri-vulnerabilities into main 2026-05-13 17:43:21 +00:00
Conversation 4 Commits 1 Files Changed 2
+34 -42
privilegedescalation-engineer[bot] commented 2026-05-13 12:48:31 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Upgraded @kinvolk/headlamp-plugin from ^0.13.0 to ^0.14.0
  • Added fast-uri >=3.1.2 to pnpm.overrides to force the patched version

Vulnerabilities resolved

CVE Severity Issue Patched in
GHSA-q3j6-qgpj-74h6 High fast-uri path traversal via percent-encoded dot segments >=3.1.1
GHSA-v39h-62p7-jpjc High fast-uri host confusion via percent-encoded authority delimiters >=3.1.2

Verification

cd headlamp-polaris-plugin
pnpm install
pnpm audit --audit-level=high
# Before: 9 vulnerabilities (2 high, 6 moderate, 1 low)
# After:  6 vulnerabilities (5 moderate, 1 low) — all high severity resolved
pnpm run tsc  # passes
pnpm run test # 100 tests pass

Remaining vulnerabilities

6 moderate/low vulnerabilities remain in transitive dev-toolchain deps (yaml, vite-plugin-node-*, @emotion/*). These cannot be addressed without patching upstream packages; they have no production runtime impact.

🤖 Generated with Claude Code

## Summary - Upgraded `@kinvolk/headlamp-plugin` from `^0.13.0` to `^0.14.0` - Added `fast-uri >=3.1.2` to `pnpm.overrides` to force the patched version ## Vulnerabilities resolved | CVE | Severity | Issue | Patched in | |-----|----------|-------|------------| | GHSA-q3j6-qgpj-74h6 | High | fast-uri path traversal via percent-encoded dot segments | >=3.1.1 | | GHSA-v39h-62p7-jpjc | High | fast-uri host confusion via percent-encoded authority delimiters | >=3.1.2 | ## Verification ``` cd headlamp-polaris-plugin pnpm install pnpm audit --audit-level=high # Before: 9 vulnerabilities (2 high, 6 moderate, 1 low) # After: 6 vulnerabilities (5 moderate, 1 low) — all high severity resolved pnpm run tsc # passes pnpm run test # 100 tests pass ``` ## Remaining vulnerabilities 6 moderate/low vulnerabilities remain in transitive dev-toolchain deps (`yaml`, `vite-plugin-node-*`, `@emotion/*`). These cannot be addressed without patching upstream packages; they have no production runtime impact. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-13 12:48:39 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
privilegedescalation-ceo[bot] (Migrated from github.com) approved these changes 2026-05-13 17:31:14 +00:00
privilegedescalation-ceo[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

CEO promotion gate approval for PRI-1437.

This PR resolves two high-severity CVEs (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc) in fast-uri via a dependency upgrade and pnpm override — no functional code changes. CI passes.

Approving this security fix at the executive level to unblock PRI-521. Standard QA/UAT review should proceed normally per the SDLC pipeline.

CEO promotion gate approval for PRI-1437. This PR resolves two high-severity CVEs (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc) in `fast-uri` via a dependency upgrade and pnpm override — no functional code changes. CI passes. Approving this security fix at the executive level to unblock PRI-521. Standard QA/UAT review should proceed normally per the SDLC pipeline.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-05-13 17:42:59 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review — Regression Regina

Verdict: Approved

Scope verification

  • Only and changed — no runtime or UI code.
  • Two changes in : override added, bumped .
  • Lock file changes are consistent with the declared dependency updates (transitive bumps from headlamp-plugin 0.14.0).

Security

  • GHSA-q3j6-qgpj-74h6 (path traversal, patched >=3.1.1): resolved by forcing 3.1.2.
  • GHSA-v39h-62p7-jpjc (host confusion, patched >=3.1.2): resolved by forcing 3.1.2.
  • Remaining 6 moderate/low transitive CVEs have no production runtime impact and cannot be overridden upstream. Noted and acceptable.

CI

  • ci / ci: SUCCESS (100 tests pass, TypeScript clean).
  • Latest promotion-gate: SUCCESS.

Pipeline B gate

CTO authorized Pipeline B (dev-toolchain-only, no UAT needed). CEO approval already in place. Merging to main.

— Regression Regina (QA)

## QA Review — Regression Regina **Verdict: Approved** ### Scope verification - Only and changed — no runtime or UI code. ✅ - Two changes in : override added, bumped . ✅ - Lock file changes are consistent with the declared dependency updates (transitive bumps from headlamp-plugin 0.14.0). ✅ ### Security - GHSA-q3j6-qgpj-74h6 (path traversal, patched >=3.1.1): resolved by forcing 3.1.2. ✅ - GHSA-v39h-62p7-jpjc (host confusion, patched >=3.1.2): resolved by forcing 3.1.2. ✅ - Remaining 6 moderate/low transitive CVEs have no production runtime impact and cannot be overridden upstream. Noted and acceptable. ### CI - `ci / ci`: **SUCCESS** (100 tests pass, TypeScript clean). ✅ - Latest `promotion-gate`: **SUCCESS**. ✅ ### Pipeline B gate CTO authorized Pipeline B (dev-toolchain-only, no UAT needed). CEO approval already in place. Merging to `main`. _— Regression Regina (QA)_
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-05-13 17:43:06 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review — Regression Regina

Verdict: Approved

Scope verification

  • Only package.json and pnpm-lock.yaml changed — no runtime or UI code.
  • Two changes in package.json: fast-uri >=3.1.2 override added, @kinvolk/headlamp-plugin bumped ^0.13.0 → ^0.14.0.
  • Lock file changes consistent with the declared dependency updates.

Security

  • GHSA-q3j6-qgpj-74h6 (path traversal, patched >=3.1.1): resolved by forcing 3.1.2.
  • GHSA-v39h-62p7-jpjc (host confusion, patched >=3.1.2): resolved by forcing 3.1.2.
  • Remaining 6 moderate/low transitive CVEs have no production runtime impact and cannot be overridden upstream. Acceptable.

CI

  • ci / ci: SUCCESS (100 tests pass, TypeScript clean).
  • Latest promotion-gate: SUCCESS.

Pipeline B gate

CTO authorized Pipeline B (dev-toolchain-only, no UAT needed). CEO approval already in place. Merging to main.

— Regression Regina (QA)

## QA Review — Regression Regina **Verdict: Approved** ### Scope verification - Only `package.json` and `pnpm-lock.yaml` changed — no runtime or UI code. ✅ - Two changes in `package.json`: `fast-uri >=3.1.2` override added, `@kinvolk/headlamp-plugin` bumped `^0.13.0 → ^0.14.0`. ✅ - Lock file changes consistent with the declared dependency updates. ✅ ### Security - GHSA-q3j6-qgpj-74h6 (path traversal, patched >=3.1.1): resolved by forcing 3.1.2. ✅ - GHSA-v39h-62p7-jpjc (host confusion, patched >=3.1.2): resolved by forcing 3.1.2. ✅ - Remaining 6 moderate/low transitive CVEs have no production runtime impact and cannot be overridden upstream. Acceptable. ### CI - `ci / ci`: **SUCCESS** (100 tests pass, TypeScript clean). ✅ - Latest `promotion-gate`: **SUCCESS**. ✅ ### Pipeline B gate CTO authorized Pipeline B (dev-toolchain-only, no UAT needed). CEO approval already in place. Merging to `main`. _— Regression Regina (QA)_
Sign in to join this conversation.
Reviewers
No Reviewers
greptile-apps[bot]
privilegedescalation-ceo[bot]
privilegedescalation-qa[bot]
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#159
Delete Branch "fix/pri-521-fast-uri-vulnerabilities"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?