From 0af4096b4f814958f2804edfc00c41e2e3b4f572 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Mon, 4 May 2026 03:23:43 +0000
Subject: [PATCH] fix: override lodash >=4.18.0 to patch code injection
 vulnerability (#38)

* fix: override lodash >=4.18.0 to patch code injection vulnerability

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* Regenerate lockfile for lodash override

- Explicitly add lodash@4.18.1 to ensure override is respected
- Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* Remove stray lodash devDependency to fix CI EOVERRIDE

The previous commit added lodash@4.18.1 as a direct devDependency
alongside the overrides.lodash >=4.18.0 entry. npm (invoked by
headlamp-plugin build) rejects this with EOVERRIDE because the
override conflicts with a direct dependency. The override alone is
sufficient to drive lodash resolution; remove the direct dep and
regenerate the lockfile.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 package.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 4e546c9..5dec980 100644
--- a/package.json
+++ b/package.json
@@ -46,6 +46,7 @@
   "overrides": {
     "tar": "^7.5.11",
     "undici": "^7.24.3",
-    "vite": ">=6.4.2"
+    "vite": ">=6.4.2",
+    "lodash": ">=4.18.0"
   }
-}
+}
\ No newline at end of file