fix: override lodash >=4.18.0 to patch code injection vulnerability #38

Merged

privilegedescalation-engineer[bot] merged 3 commits from fix/lodash-cve-ghsa-r5fr-rjxr-66jc into main 2026-05-04 03:23:44 +00:00

Conversation 14 Commits 3 Files Changed 1

+3 -2

3 Commits

Author	SHA1	Message	Date
Chris Farhood	43998745d9	Remove stray lodash devDependency to fix CI EOVERRIDE ... The previous commit added lodash@4.18.1 as a direct devDependency alongside the overrides.lodash >=4.18.0 entry. npm (invoked by headlamp-plugin build) rejects this with EOVERRIDE because the override conflicts with a direct dependency. The override alone is sufficient to drive lodash resolution; remove the direct dep and regenerate the lockfile. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-03 23:24:39 +00:00
Chris Farhood	62bab0ffc3	Regenerate lockfile for lodash override ... - Explicitly add lodash@4.18.1 to ensure override is respected - Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-03 22:27:36 +00:00
Chris Farhood	dd730cc4cd	fix: override lodash >=4.18.0 to patch code injection vulnerability ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-03 22:27:30 +00:00