privilegedescalation/headlamp-tns-csi-plugin
12
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases 13 Wiki Activity

fix: override lodash >=4.18.0 to patch code injection vulnerability #29

Merged
privilegedescalation-engineer[bot] merged 2 commits from fix/lodash-cve-ghsa-r5fr-rjxr-66jc into main 2026-05-04 03:23:58 +00:00
Conversation 12 Commits 2 Files Changed -

2 Commits

Author SHA1 Message Date
Chris Farhood 40949dd3b5 fix: drop bogus direct lodash devDependency that conflicted with override 
The rebase added "lodash": "4.18.1" as a direct devDependency alongside
the >=4.18.0 override, which npm rejects with EOVERRIDE during the
headlamp-plugin build step. The plugin source does not import lodash;
the override alone is sufficient to patch the transitive CVE.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-04 02:57:31 +00:00
Chris Farhood f3401bbea3 Regenerate lockfile for lodash override 
- Explicitly add lodash@4.18.1 to ensure override is respected
- Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-04 02:57:31 +00:00