[jira] [Comment Edited] (YUNIKORN-1752) Update karma as it prevents engine.io updates

["Wilfred Spiegelenburg (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/YUNIKORN-1752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17724074#comment-17724074 ] 

Wilfred Spiegelenburg edited comment on YUNIKORN-1752 at 5/19/23 2:17 AM:
--------------------------------------------------------------------------

Turns out that even the latest version of karma is still pointing to the same CVE affected dependency.

Running: {{npm audit fix --force}} fixes the issue. However that has a large side effect as the yarn.lock file is now rewritten with the npm urls.


was (Author: wifreds):
Turns out that even the latest version of karma is still pointing to the same CVE affected dependency.

Running: {{npm audit fix --force}} fixes the issue. However that has a large side effect as the yarn.lock file is now rewritten with the npm urls.

Using manual update for socket.io via {{yarn upgrade socket.io@6.4.1}} seems to have fixed the issue.

> Update karma as it prevents engine.io updates
> ---------------------------------------------
>
>                 Key: YUNIKORN-1752
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-1752
>             Project: Apache YuniKorn
>          Issue Type: Task
>          Components: webapp
>            Reporter: Wilfred Spiegelenburg
>            Assignee: Wilfred Spiegelenburg
>            Priority: Major
>
> From the dependabot alert:
> {code:java}
> karma@6.3.20 requires engine.io@~6.1.0 via a transitive dependency on socket.io@4.4.1{code}
> Karma 6.3.20 is the latest in the 6.3 range need to move to 6.4 to fix this



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org