You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@yunikorn.apache.org by "Wilfred Spiegelenburg (Jira)" <ji...@apache.org> on 2023/05/19 02:18:00 UTC
[jira] [Comment Edited] (YUNIKORN-1752) Update karma as it prevents engine.io updates
[ https://issues.apache.org/jira/browse/YUNIKORN-1752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17724074#comment-17724074 ]
Wilfred Spiegelenburg edited comment on YUNIKORN-1752 at 5/19/23 2:17 AM:
--------------------------------------------------------------------------
Turns out that even the latest version of karma is still pointing to the same CVE affected dependency.
Running: {{npm audit fix --force}} fixes the issue. However that has a large side effect as the yarn.lock file is now rewritten with the npm urls.
was (Author: wifreds):
Turns out that even the latest version of karma is still pointing to the same CVE affected dependency.
Running: {{npm audit fix --force}} fixes the issue. However that has a large side effect as the yarn.lock file is now rewritten with the npm urls.
Using manual update for socket.io via {{yarn upgrade socket.io@6.4.1}} seems to have fixed the issue.
> Update karma as it prevents engine.io updates
> ---------------------------------------------
>
> Key: YUNIKORN-1752
> URL: https://issues.apache.org/jira/browse/YUNIKORN-1752
> Project: Apache YuniKorn
> Issue Type: Task
> Components: webapp
> Reporter: Wilfred Spiegelenburg
> Assignee: Wilfred Spiegelenburg
> Priority: Major
>
> From the dependabot alert:
> {code:java}
> karma@6.3.20 requires engine.io@~6.1.0 via a transitive dependency on socket.io@4.4.1{code}
> Karma 6.3.20 is the latest in the 6.3 range need to move to 6.4 to fix this
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org