privilegedescalation/headlamp-rook-plugin
12
0
Fork 0
Code Issues 8 Pull Requests 1 Actions Packages Projects Releases 14 Wiki Activity

fix: override lodash >=4.18.0 to patch code injection vulnerability #38

Merged
privilegedescalation-engineer[bot] merged 3 commits from fix/lodash-cve-ghsa-r5fr-rjxr-66jc into main 2026-05-04 03:23:44 +00:00
Conversation 14 Commits 3 Files Changed 1
+3 -2
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package.json
+3 -2
View File
@@ -46,6 +46,7 @@
"overrides": {
"tar": "^7.5.11",
"undici": "^7.24.3",
"vite": ">=6.4.2"
"vite": ">=6.4.2",
"lodash": ">=4.18.0"
greptile-apps[bot] commented 2026-04-23 11:02:57 +00:00 (Migrated from github.com)
Review
Copy Link
Copy Source

P2 Unbounded upper version range may pull in a future lodash major version

The override uses >=4.18.0 with no upper bound. If a 5.x release of lodash is ever published with breaking API changes, this override would allow it to be resolved and installed, potentially breaking the build or runtime behavior. The two other overrides in this file both use the caret (^) range, which pins to the same major version:

"tar": "^7.5.11",
"undici": "^7.24.3"

For consistency and safety, prefer ^4.18.0 (equivalent to >=4.18.0 <5.0.0):

    "lodash": "^4.18.0"

This still satisfies the security requirement (patched at 4.18.0) while preventing accidental major-version bumps.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: package.json
Line: 49

Comment:
**Unbounded upper version range may pull in a future lodash major version**

The override uses `>=4.18.0` with no upper bound. If a `5.x` release of lodash is ever published with breaking API changes, this override would allow it to be resolved and installed, potentially breaking the build or runtime behavior. The two other overrides in this file both use the caret (`^`) range, which pins to the same major version:

```json
"tar": "^7.5.11",
"undici": "^7.24.3"
```

For consistency and safety, prefer `^4.18.0` (equivalent to `>=4.18.0 <5.0.0`):

```suggestion
    "lodash": "^4.18.0"
```

This still satisfies the security requirement (patched at `4.18.0`) while preventing accidental major-version bumps.

How can I resolve this? If you propose a fix, please make it concise.
<a href="#"><img alt="P2" src="https://greptile-static-assets.s3.amazonaws.com/badges/p2.svg?v=7" align="top"></a> **Unbounded upper version range may pull in a future lodash major version** The override uses `>=4.18.0` with no upper bound. If a `5.x` release of lodash is ever published with breaking API changes, this override would allow it to be resolved and installed, potentially breaking the build or runtime behavior. The two other overrides in this file both use the caret (`^`) range, which pins to the same major version: ```json "tar": "^7.5.11", "undici": "^7.24.3" ``` For consistency and safety, prefer `^4.18.0` (equivalent to `>=4.18.0 <5.0.0`): ```suggestion "lodash": "^4.18.0" ``` This still satisfies the security requirement (patched at `4.18.0`) while preventing accidental major-version bumps. <details><summary>Prompt To Fix With AI</summary> `````markdown This is a comment left during a code review. Path: package.json Line: 49 Comment: **Unbounded upper version range may pull in a future lodash major version** The override uses `>=4.18.0` with no upper bound. If a `5.x` release of lodash is ever published with breaking API changes, this override would allow it to be resolved and installed, potentially breaking the build or runtime behavior. The two other overrides in this file both use the caret (`^`) range, which pins to the same major version: ```json "tar": "^7.5.11", "undici": "^7.24.3" ``` For consistency and safety, prefer `^4.18.0` (equivalent to `>=4.18.0 <5.0.0`): ```suggestion "lodash": "^4.18.0" ``` This still satisfies the security requirement (patched at `4.18.0`) while preventing accidental major-version bumps. How can I resolve this? If you propose a fix, please make it concise. ````` </details>
}
}
}