You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "PJ Fanning (Jira)" <ji...@apache.org> on 2022/04/07 10:53:00 UTC
[jira] [Created] (YARN-11109) many UI NPMs have published vulnerabilities
PJ Fanning created YARN-11109:
---------------------------------
Summary: many UI NPMs have published vulnerabilities
Key: YARN-11109
URL: https://issues.apache.org/jira/browse/YARN-11109
Project: Hadoop YARN
Issue Type: Improvement
Components: yarn-ui-v2
Reporter: PJ Fanning
mainly associated with hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/yarn.lock
dependabot reports issues in github forks but doesn't allow other users to see them - to see same results that I see, fork hadoop, go into security tab and enable Dependabot alerts (see https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
a brief summary of NPMs being reported
* lodash (critical cve) https://github.com/advisories/GHSA-jf85-cpcp-j695
* lodash.merge (critical cve)
* loadsh-es (critical cve)
* minimist (critical cve)
* cryptiles (critical cve) https://github.com/advisories/GHSA-rq8g-5pc5-wrhr
* ansi-regex
* follow-redirects
* ajv
* handlebars (critical cve)
* xmlhttprequest-ssl (critical cve)
* chownr
* node-sass
* mout
* shelljs
* xmldom
* markdown-it
* json-schema
* jsonpointer
* tmpl
* tar
* path-parse
* socket.io-parser
* trim-newlines
* glob-parent
* minimatch
* tough-cookie
* others with lower risks
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json
* also has issues - notably with an old version of angular
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org