fix: override lodash >=4.18.0 to patch code injection vulnerability (#38)
* fix: override lodash >=4.18.0 to patch code injection vulnerability Co-Authored-By: Paperclip <noreply@paperclip.ing> * Regenerate lockfile for lodash override - Explicitly add lodash@4.18.1 to ensure override is respected - Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix) Co-Authored-By: Paperclip <noreply@paperclip.ing> * Remove stray lodash devDependency to fix CI EOVERRIDE The previous commit added lodash@4.18.1 as a direct devDependency alongside the overrides.lodash >=4.18.0 entry. npm (invoked by headlamp-plugin build) rejects this with EOVERRIDE because the override conflicts with a direct dependency. The override alone is sufficient to drive lodash resolution; remove the direct dep and regenerate the lockfile. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit was merged in pull request #38.
This commit is contained in:
privilegedescalation-engineer[bot]
committed by
GitHub
GitHub
parent
d44ae043c3
commit
0af4096b4f
+3
-2
@@ -46,6 +46,7 @@
|
||||
"overrides": {
|
||||
"tar": "^7.5.11",
|
||||
"undici": "^7.24.3",
|
||||
"vite": ">=6.4.2"
|
||||
"vite": ">=6.4.2",
|
||||
"lodash": ">=4.18.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user