You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pinot.apache.org by PJ Fanning <fa...@apache.org> on 2022/04/06 14:25:22 UTC
pinot-controller NPM security issues
Hi everyone,
I raised an issue about multiple insecure NPMs that are used in
pinot-controller.
https://github.com/apache/pinot/issues/8476
I'm not a UI expert and not really a Pinot user, I'm just an ASF
member looking to get teams to upgrade their dependencies to improve
security.
Would any of the Pinot contributors be in a position to try upgrades?
This command can often do a lot of the work:
npm audit fix
Regards,
PJ
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pinot.apache.org
For additional commands, e-mail: dev-help@pinot.apache.org
Re: pinot-controller NPM security issues
Posted by Mayank Shrivastava <ma...@gmail.com>.
Thanks for the clarification, PJ. We will follow up on the GH issue.
Best
Mayank
> On Apr 11, 2022, at 2:53 PM, PJ Fanning <fa...@apache.org> wrote:
>
> Thanks Mayank. I do some work with the ASF Security team. Issues relating to problematic dependencies are only regarded as private if there is a POC that shows the issue has a direct impact on the project in question. This is not the case here.
>
> All the same, it is bad for the reputation of the ASF and its projects to have projects that release with lib dependencies that have publicly known vulnerabilities. `npm audit fix` will fix quite a few - it just takes someone with experience verifying the UI afterwards. I am not a Pinot user so I feel unqualified to do this bit. I would appeal to the Pinot community for someone to update the dependencies to having malicious users come along and exploit these issues.
>
>> On 2022/04/07 13:28:06 Mayank Shrivastava wrote:
>> Hi PJ,
>> Thanks for reaching out and flagging these security issues. Seems like ASF
>> does have a security guidelines
>> <https://www.apache.org/security/committers.html>, one of which suggests to
>> not expose the insecurity via GH issue/jira or direct PR. I do see that you
>> have mentioned the security issue in the GH issue, do you mind changing the
>> description to accommodate for the same? Or let me know if I am
>> misinterpreting the guidelines.
>>
>> Thanks again for flagging the issue, we will discuss internally and
>> follow-up soon.
>>
>> Best Regards,
>> Mayank
>>
>>> On Wed, Apr 6, 2022 at 7:25 AM PJ Fanning <fa...@apache.org> wrote:
>>>
>>> Hi everyone,
>>> I raised an issue about multiple insecure NPMs that are used in
>>> pinot-controller.
>>>
>>> https://github.com/apache/pinot/issues/8476
>>>
>>> I'm not a UI expert and not really a Pinot user, I'm just an ASF
>>> member looking to get teams to upgrade their dependencies to improve
>>> security.
>>>
>>> Would any of the Pinot contributors be in a position to try upgrades?
>>>
>>> This command can often do a lot of the work:
>>> npm audit fix
>>>
>>> Regards,
>>> PJ
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@pinot.apache.org
>>> For additional commands, e-mail: dev-help@pinot.apache.org
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@pinot.apache.org
> For additional commands, e-mail: dev-help@pinot.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pinot.apache.org
For additional commands, e-mail: dev-help@pinot.apache.org
Re: pinot-controller NPM security issues
Posted by PJ Fanning <fa...@apache.org>.
Thanks Mayank. I do some work with the ASF Security team. Issues relating to problematic dependencies are only regarded as private if there is a POC that shows the issue has a direct impact on the project in question. This is not the case here.
All the same, it is bad for the reputation of the ASF and its projects to have projects that release with lib dependencies that have publicly known vulnerabilities. `npm audit fix` will fix quite a few - it just takes someone with experience verifying the UI afterwards. I am not a Pinot user so I feel unqualified to do this bit. I would appeal to the Pinot community for someone to update the dependencies to having malicious users come along and exploit these issues.
On 2022/04/07 13:28:06 Mayank Shrivastava wrote:
> Hi PJ,
> Thanks for reaching out and flagging these security issues. Seems like ASF
> does have a security guidelines
> <https://www.apache.org/security/committers.html>, one of which suggests to
> not expose the insecurity via GH issue/jira or direct PR. I do see that you
> have mentioned the security issue in the GH issue, do you mind changing the
> description to accommodate for the same? Or let me know if I am
> misinterpreting the guidelines.
>
> Thanks again for flagging the issue, we will discuss internally and
> follow-up soon.
>
> Best Regards,
> Mayank
>
> On Wed, Apr 6, 2022 at 7:25 AM PJ Fanning <fa...@apache.org> wrote:
>
> > Hi everyone,
> > I raised an issue about multiple insecure NPMs that are used in
> > pinot-controller.
> >
> > https://github.com/apache/pinot/issues/8476
> >
> > I'm not a UI expert and not really a Pinot user, I'm just an ASF
> > member looking to get teams to upgrade their dependencies to improve
> > security.
> >
> > Would any of the Pinot contributors be in a position to try upgrades?
> >
> > This command can often do a lot of the work:
> > npm audit fix
> >
> > Regards,
> > PJ
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@pinot.apache.org
> > For additional commands, e-mail: dev-help@pinot.apache.org
> >
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pinot.apache.org
For additional commands, e-mail: dev-help@pinot.apache.org
Re: pinot-controller NPM security issues
Posted by Mayank Shrivastava <ma...@apache.org>.
Hi PJ,
Thanks for reaching out and flagging these security issues. Seems like ASF
does have a security guidelines
<https://www.apache.org/security/committers.html>, one of which suggests to
not expose the insecurity via GH issue/jira or direct PR. I do see that you
have mentioned the security issue in the GH issue, do you mind changing the
description to accommodate for the same? Or let me know if I am
misinterpreting the guidelines.
Thanks again for flagging the issue, we will discuss internally and
follow-up soon.
Best Regards,
Mayank
On Wed, Apr 6, 2022 at 7:25 AM PJ Fanning <fa...@apache.org> wrote:
> Hi everyone,
> I raised an issue about multiple insecure NPMs that are used in
> pinot-controller.
>
> https://github.com/apache/pinot/issues/8476
>
> I'm not a UI expert and not really a Pinot user, I'm just an ASF
> member looking to get teams to upgrade their dependencies to improve
> security.
>
> Would any of the Pinot contributors be in a position to try upgrades?
>
> This command can often do a lot of the work:
> npm audit fix
>
> Regards,
> PJ
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@pinot.apache.org
> For additional commands, e-mail: dev-help@pinot.apache.org
>
>