From dd730cc4cd0aa4a6facdfa093b94a3d5d5892a1a Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 3 May 2026 22:27:30 +0000
Subject: [PATCH 1/3] fix: override lodash >=4.18.0 to patch code injection
 vulnerability

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 package.json | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 4e546c9..28bf36e 100644
--- a/package.json
+++ b/package.json
@@ -35,6 +35,7 @@
     "@types/react-dom": "^18.0.0",
     "eslint": "^8.57.0",
     "jsdom": "^24.0.0",
+    "lodash": "4.18.1",
     "notistack": "^3.0.0",
     "prettier": "^2.8.8",
     "react": "^18.3.1",
@@ -46,6 +47,7 @@
   "overrides": {
     "tar": "^7.5.11",
     "undici": "^7.24.3",
-    "vite": ">=6.4.2"
+    "vite": ">=6.4.2",
+    "lodash": ">=4.18.0"
   }
-}
+}
\ No newline at end of file
-- 
2.52.0


From 62bab0ffc381f15252782cad94444c4a4441063e Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 3 May 2026 18:28:22 +0000
Subject: [PATCH 2/3] Regenerate lockfile for lodash override

- Explicitly add lodash@4.18.1 to ensure override is respected
- Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 pnpm-lock.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6a1bd54..bc0b934 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -38,6 +38,9 @@ importers:
       jsdom:
         specifier: ^24.0.0
         version: 24.1.3
+      lodash:
+        specifier: 4.18.1
+        version: 4.18.1
       notistack:
         specifier: ^3.0.0
         version: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
-- 
2.52.0


From 43998745d9226d1139d459af43f34c686f0adacc Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 3 May 2026 23:24:39 +0000
Subject: [PATCH 3/3] Remove stray lodash devDependency to fix CI EOVERRIDE

The previous commit added lodash@4.18.1 as a direct devDependency
alongside the overrides.lodash >=4.18.0 entry. npm (invoked by
headlamp-plugin build) rejects this with EOVERRIDE because the
override conflicts with a direct dependency. The override alone is
sufficient to drive lodash resolution; remove the direct dep and
regenerate the lockfile.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 package.json   | 1 -
 pnpm-lock.yaml | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/package.json b/package.json
index 28bf36e..5dec980 100644
--- a/package.json
+++ b/package.json
@@ -35,7 +35,6 @@
     "@types/react-dom": "^18.0.0",
     "eslint": "^8.57.0",
     "jsdom": "^24.0.0",
-    "lodash": "4.18.1",
     "notistack": "^3.0.0",
     "prettier": "^2.8.8",
     "react": "^18.3.1",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index bc0b934..6a1bd54 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -38,9 +38,6 @@ importers:
       jsdom:
         specifier: ^24.0.0
         version: 24.1.3
-      lodash:
-        specifier: 4.18.1
-        version: 4.18.1
       notistack:
         specifier: ^3.0.0
         version: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
-- 
2.52.0