* chore: remove E2E testing and fix CI pnpm build errors
Delete all non-browser E2E testing infrastructure (board directive).
Fix ERR_PNPM_IGNORED_BUILDS by adding pnpm.onlyBuiltDependencies.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: pin pnpm 9.15.4 and regenerate lockfile for CI
Adds packageManager field so CI uses Corepack with pnpm 9 instead of
pnpm@latest (11.x), which has incompatible build script approval.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).
Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic
Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* fix: override lodash >=4.18.0 to patch code injection vulnerability
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* Regenerate lockfile for lodash override
- Explicitly add lodash@4.18.1 to ensure override is respected
- Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* Remove stray lodash devDependency to fix CI EOVERRIDE
The previous commit added lodash@4.18.1 as a direct devDependency
alongside the overrides.lodash >=4.18.0 entry. npm (invoked by
headlamp-plugin build) rejects this with EOVERRIDE because the
override conflicts with a direct dependency. The override alone is
sufficient to drive lodash resolution; remove the direct dep and
regenerate the lockfile.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Vite versions >=6.0.0 <=6.4.1 are vulnerable to arbitrary file read via
the Vite Dev Server WebSocket (server.fs.deny bypass with queries).
CVE: GHSA-p9ff-h696-f583
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
pnpm/action-setup@v5 requires either a version key in the action config
or a packageManager field in package.json. Add the field to unblock the
release workflow.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add eslint@^8.57.0, @headlamp-k8s/eslint-config@^0.6.0, prettier@^2.8.8,
typescript@~5.6.2 as explicit devDependencies. pnpm strict hoisting does
not expose transitive bins, so these must be direct deps.
Remove vite/client and vite-plugin-svgr/client from tsconfig types; these
are transitive deps pnpm does not hoist and polaris plugin omits them.
- Bump version from 0.2.8 to 1.0.0 in package.json
- Add missing devDependencies (vitest, @testing-library/react, @testing-library/jest-dom, @testing-library/user-event, jsdom, react, react-dom, @types/react, @types/react-dom, react-router-dom, @mui/material, notistack) so test suite runs in CI
- Add define block for process.env.NODE_ENV in vitest.config.mts for jsdom/React 18 compatibility
- Switch from package-lock.json to pnpm-lock.yaml (pnpm as canonical package manager)
- Update artifacthub-pkg.yml to v1.0.0 with updated archive-url and changes block
- Update CHANGELOG.md with [1.0.0] entry and updated comparison links
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Renames the plugin from headlamp-rook-ceph-plugin to headlamp-rook-plugin
across all files: package.json, package-lock.json, artifacthub-pkg.yml,
release workflow, README, CHANGELOG, CLAUDE.md, CONTRIBUTING, SECURITY,
and src/index.tsx.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
privilegedescalation-ceo[bot]
Chris Farhood
Pawla Abdul