From 7453c763793f23b892b0803dd48735aa40287b9e Mon Sep 17 00:00:00 2001
From: Matt Raible <matt.raible@crowdstrike.com>
Date: Mon, 6 Apr 2026 11:30:48 -0600
Subject: [PATCH 1/2] Fix CVEs: add npm overrides for picomatch, yaml,
 brace-expansion, lodash

Add overrides to resolve known vulnerabilities:
- picomatch@2 -> 2.3.2 (ReDoS via extglob quantifiers)
- picomatch@4 -> 4.0.4 (ReDoS via extglob quantifiers)
- yaml@1 -> 1.10.3 (stack overflow via deeply nested collections)
- brace-expansion@2 -> 2.0.3 (zero-step sequence hang)
- lodash -> 4.18.1 (prototype pollution and code injection)

Remaining: brace-expansion 1.x (1.1.12) has no fixed version available.
---
 ui/extensions/hello/package-lock.json | 48 +++++++++++++--------------
 ui/extensions/hello/package.json      |  8 +++--
 ui/extensions/hello/src/dist/app.js   |  3 ++
 3 files changed, 33 insertions(+), 26 deletions(-)

diff --git a/ui/extensions/hello/package-lock.json b/ui/extensions/hello/package-lock.json
index ba3c5a5..0fd5690 100644
--- a/ui/extensions/hello/package-lock.json
+++ b/ui/extensions/hello/package-lock.json
@@ -3905,9 +3905,9 @@
       }
     },
     "node_modules/@web/rollup-plugin-html/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4014,9 +4014,9 @@
       }
     },
     "node_modules/anymatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "license": "MIT",
       "engines": {
         "node": ">=8.6"
@@ -4269,9 +4269,9 @@
       "license": "ISC"
     },
     "node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
+      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -7562,9 +7562,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
       "license": "MIT"
     },
     "node_modules/lodash.camelcase": {
@@ -7718,9 +7718,9 @@
       }
     },
     "node_modules/micromatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "license": "MIT",
       "engines": {
         "node": ">=8.6"
@@ -8202,9 +8202,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -9166,9 +9166,9 @@
       }
     },
     "node_modules/readdirp/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "license": "MIT",
       "engines": {
         "node": ">=8.6"
@@ -10618,9 +10618,9 @@
       "license": "ISC"
     },
     "node_modules/yaml": {
-      "version": "1.10.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz",
-      "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==",
+      "version": "1.10.3",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.3.tgz",
+      "integrity": "sha512-vIYeF1u3CjlhAFekPPAk2h/Kv4T3mAkMox5OymRiJQB0spDP10LHvt+K7G9Ny6NuuMAb25/6n1qyUjAcGNf/AA==",
       "license": "ISC",
       "engines": {
         "node": ">= 6"
diff --git a/ui/extensions/hello/package.json b/ui/extensions/hello/package.json
index 8a0bb2d..4b4521e 100644
--- a/ui/extensions/hello/package.json
+++ b/ui/extensions/hello/package.json
@@ -68,9 +68,13 @@
   },
   "overrides": {
     "js-yaml": "^3.14.2",
-    "lodash": "4.17.23",
+    "lodash": "4.18.1",
     "svgo": "2.8.1",
     "minimatch@3": "3.1.4",
-    "minimatch@9": "9.0.9"
+    "minimatch@9": "9.0.9",
+    "picomatch@2": "2.3.2",
+    "picomatch@4": "4.0.4",
+    "yaml@1": "1.10.3",
+    "brace-expansion@2": "2.0.3"
   }
 }
diff --git a/ui/extensions/hello/src/dist/app.js b/ui/extensions/hello/src/dist/app.js
index 366af1e..1c13072 100644
--- a/ui/extensions/hello/src/dist/app.js
+++ b/ui/extensions/hello/src/dist/app.js
@@ -3857,6 +3857,9 @@ class Navigation {
             },
         });
     }
+    /**
+     * @deprecated Use navigateTo directly
+     */
     async onClick(event, defaultTarget = '_self', defaultType = 'falcon') {
         if (!(event instanceof Event)) {
             throw Error('"event" property should be subclass of Event');

From d102f8ea9c1b05ab0d1d46b3cbb96731c46f32cf Mon Sep 17 00:00:00 2001
From: Matt Raible <matt.raible@crowdstrike.com>
Date: Mon, 6 Apr 2026 11:45:55 -0600
Subject: [PATCH 2/2] Revert lodash override to 4.17.23 (4.18.1 fix version not
 yet available)

---
 ui/extensions/hello/package-lock.json | 18 ++++++++++++------
 ui/extensions/hello/package.json      |  2 +-
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/ui/extensions/hello/package-lock.json b/ui/extensions/hello/package-lock.json
index 0fd5690..d026da7 100644
--- a/ui/extensions/hello/package-lock.json
+++ b/ui/extensions/hello/package-lock.json
@@ -7561,12 +7561,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
-      "license": "MIT"
-    },
     "node_modules/lodash.camelcase": {
       "version": "4.3.0",
       "resolved": "https://registry.npmjs.org/lodash.camelcase/-/lodash.camelcase-4.3.0.tgz",
@@ -7864,6 +7858,12 @@
         "lodash": "^4.17.21"
       }
     },
+    "node_modules/node-emoji/node_modules/lodash": {
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "license": "MIT"
+    },
     "node_modules/node-int64": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/node-int64/-/node-int64-0.4.0.tgz",
@@ -9980,6 +9980,12 @@
         "postcss": "^8.0.9"
       }
     },
+    "node_modules/tailwindcss/node_modules/lodash": {
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "license": "MIT"
+    },
     "node_modules/terser": {
       "version": "5.46.0",
       "resolved": "https://registry.npmjs.org/terser/-/terser-5.46.0.tgz",
diff --git a/ui/extensions/hello/package.json b/ui/extensions/hello/package.json
index 4b4521e..da6c32f 100644
--- a/ui/extensions/hello/package.json
+++ b/ui/extensions/hello/package.json
@@ -68,7 +68,7 @@
   },
   "overrides": {
     "js-yaml": "^3.14.2",
-    "lodash": "4.18.1",
+    "lodash": "4.17.23",
     "svgo": "2.8.1",
     "minimatch@3": "3.1.4",
     "minimatch@9": "9.0.9",