Regenerate lockfile for lodash override

- Explicitly add lodash@4.18.1 to ensure override is respected - Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix) Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix: override lodash >=4.18.0 to patch code injection vulnerability
2026-05-03 18:28:22 +00:00 · 2026-04-23 10:58:22 +00:00 · 2026-04-15 04:00:27 +00:00 · 2026-04-15 03:51:02 +00:00 · 2026-04-15 03:29:41 +00:00
4 changed files with 20 additions and 13 deletions
@@ -16,3 +16,5 @@ jobs:
  dual-approval:
    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
@@ -1,4 +1,4 @@
-version: "1.0.1"
+version: "1.0.2"
 name: headlamp-rook-plugin
 displayName: Rook Plugin
 createdAt: "2026-02-18T00:00:00Z"
@@ -35,7 +35,7 @@ changes:
    description: "Renovate: extend org-level config preset and add pinDigests for SHA pinning of GitHub Actions"

 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-rook-plugin/releases/download/v1.0.1/rook-1.0.1.tar.gz"
-  headlamp/plugin/archive-checksum: sha256:36a62cda46194fd88335e3b3af12e7c89bb1ec21671c747e0bc2e1e3cd02d0fc
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-rook-plugin/releases/download/v1.0.2/rook-1.0.2.tar.gz"
+  headlamp/plugin/archive-checksum: sha256:4f16cec3297968c7eb06e475a1c175503abf17134bd411fc86be1f18d9d27a48
  headlamp/plugin/distro-compat: ""
  headlamp/plugin/version-compat: ">=0.20"
@@ -1,6 +1,6 @@
 {
  "name": "rook",
-  "version": "1.0.1",
+  "version": "1.0.2",
  "description": "Headlamp plugin for Rook-Ceph cluster visibility and CSI driver monitoring",
  "repository": {
    "type": "git",
@@ -35,6 +35,7 @@
    "@types/react-dom": "^18.0.0",
    "eslint": "^8.57.0",
    "jsdom": "^24.0.0",
+    "lodash": "4.18.1",
    "notistack": "^3.0.0",
    "prettier": "^2.8.8",
    "react": "^18.3.1",
@@ -45,6 +46,7 @@
  },
  "overrides": {
    "tar": "^7.5.11",
-    "undici": "^7.24.3"
+    "undici": "^7.24.3",
+    "lodash": ">=4.18.0"
  }
 }
@@ -38,6 +38,9 @@ importers:
      jsdom:
        specifier: ^24.0.0
        version: 24.1.3
+      lodash:
+        specifier: 4.18.1
+        version: 4.18.1
      notistack:
        specifier: ^3.0.0
        version: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
@@ -3512,8 +3515,8 @@ packages:
  lodash.truncate@4.4.2:
    resolution: {integrity: sha512-jttmRe7bRse52OsWIMDLaXxWqRAmtIUccAQ3garviCqJjafXOfNMO0yMfNpdD6zbGaTU0P5Nz7e7gAT6cKmJRw==}

-  lodash@4.17.23:
-    resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==}
+  lodash@4.18.1:
+    resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==}

  longest-streak@3.1.0:
    resolution: {integrity: sha512-9Ri+o0JYgehTaVBBDoMqIl8GXtbWg711O3srftcHhZ0dqnETqLaoIK0x17fUw9rFSlK/0NlsKe0Ahhyl5pXE2g==}
@@ -5897,7 +5900,7 @@ snapshots:
      js-yaml: 4.1.1
      jsdom: 24.1.3
      jsonpath-plus: 10.4.0
-      lodash: 4.17.23
+      lodash: 4.18.1
      material-react-table: 2.13.3(93149b7a28d7dcf9399e2d03ebc8c990)
      monaco-editor: 0.52.2
      msw: 2.4.9(typescript@5.6.2)
@@ -8887,7 +8890,7 @@ snapshots:
    dependencies:
      '@types/html-minifier-terser': 6.1.0
      html-minifier-terser: 6.1.0
-      lodash: 4.17.23
+      lodash: 4.18.1
      pretty-error: 4.0.0
      tapable: 2.3.2
    optionalDependencies:
@@ -9340,7 +9343,7 @@ snapshots:

  lodash.truncate@4.4.2: {}

-  lodash@4.17.23: {}
+  lodash@4.18.1: {}

  longest-streak@3.1.0: {}

@@ -10061,7 +10064,7 @@ snapshots:

  pretty-error@4.0.0:
    dependencies:
-      lodash: 4.17.23
+      lodash: 4.18.1
      renderkid: 3.0.0

  pretty-format@27.5.1:
@@ -10322,7 +10325,7 @@ snapshots:
    dependencies:
      clsx: 2.1.1
      eventemitter3: 4.0.7
-      lodash: 4.17.23
+      lodash: 4.18.1
      react: 18.3.1
      react-dom: 18.3.1(react@18.3.1)
      react-is: 18.3.1
@@ -10398,7 +10401,7 @@ snapshots:
      css-select: 4.3.0
      dom-converter: 0.2.0
      htmlparser2: 6.1.0
-      lodash: 4.17.23
+      lodash: 4.18.1
      strip-ansi: 6.0.1

  replace-ext@2.0.0: {}
Author	SHA1	Message	Date
Chris Farhood	9836b5d070	Regenerate lockfile for lodash override - Explicitly add lodash@4.18.1 to ensure override is respected - Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-03 18:28:22 +00:00
Gandalf the Greybeard	6c1fdec0f6	fix: override lodash >=4.18.0 to patch code injection vulnerability GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash below 4.18.0. The vulnerable transitive dependency comes through @kinvolk/headlamp-plugin. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-23 10:58:22 +00:00
privilegedescalation-engineer[bot]	39ed3ea90a	release: v1.0.2 (#36 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-15 04:00:27 +00:00
privilegedescalation-ceo[bot]	d096a6c70c	fix: correct artifacthub-pkg.yml checksum on main for v1.0.1 Co-authored-by: privilegedescalation-ceo[bot] <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>	2026-04-15 03:51:02 +00:00
privilegedescalation-engineer[bot]	4e5d1a2157	fix: pass pr_number to dual-approval-check workflow (#31 ) Companion PR to privilegedescalation/.github#81 Co-authored-by: Hugh Hackman <hugh@paperclip.ing> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-15 03:29:41 +00:00