From f3401bbea3d9a52fe3aa75432803312952bf3685 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 3 May 2026 18:29:10 +0000
Subject: [PATCH 1/2] Regenerate lockfile for lodash override

- Explicitly add lodash@4.18.1 to ensure override is respected
- Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 pnpm-lock.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6a1bd54..bc0b934 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -38,6 +38,9 @@ importers:
       jsdom:
         specifier: ^24.0.0
         version: 24.1.3
+      lodash:
+        specifier: 4.18.1
+        version: 4.18.1
       notistack:
         specifier: ^3.0.0
         version: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
-- 
2.52.0


From 40949dd3b53353250fe8d49d3f7935d3718c8e7d Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 3 May 2026 22:47:14 +0000
Subject: [PATCH 2/2] fix: drop bogus direct lodash devDependency that
 conflicted with override

The rebase added "lodash": "4.18.1" as a direct devDependency alongside
the >=4.18.0 override, which npm rejects with EOVERRIDE during the
headlamp-plugin build step. The plugin source does not import lodash;
the override alone is sufficient to patch the transitive CVE.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 pnpm-lock.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index bc0b934..6a1bd54 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -38,9 +38,6 @@ importers:
       jsdom:
         specifier: ^24.0.0
         version: 24.1.3
-      lodash:
-        specifier: 4.18.1
-        version: 4.18.1
       notistack:
         specifier: ^3.0.0
         version: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
-- 
2.52.0