Chris Farhood
9a944560f5
CTO decision (PRI-854): high-severity vulns from @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash) are dev/build-time only and do not ship in production plugin artifacts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
20 lines
782 B
JSON
20 lines
782 B
JSON
{
|
|
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
|
|
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
|
|
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
|
|
// and do NOT ship in production plugin artifacts.
|
|
"allowlist": [
|
|
{
|
|
"id": "GHSA-hhpm-516h-p3p6",
|
|
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
|
|
},
|
|
{
|
|
"id": "GHSA-36xf-7xpp-53w5",
|
|
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
|
|
},
|
|
{
|
|
"id": "GHSA-jf8v-p3pp-93qh",
|
|
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
|
|
}
|
|
]
|
|
} |