Purushottam Sinha created FLINK-39516:
-----------------------------------------
Summary: [web dashboard] Address npm security advisories in
flink-runtime-web web-dashboard
Key: FLINK-39516
URL: https://issues.apache.org/jira/browse/FLINK-39516
Project: Flink
Issue Type: Technical Debt
Components: Runtime / Web Frontend
Reporter: Purushottam Sinha
{*}Description{*}:
`npm audit` against flink-runtime-web/web-dashboard currently reports 55
advisories (2 critical, 30 high, 17 moderate, 6 low). None are in
runtime-shipped code — the dashboard is a static Angular SPA served by the
JobManager — but the critical and high findings appear in GHAS/Dependabot scans
and block clean audit reports for downstream consumers.
*Goal:* Drive
the advisory count to zero (or to an explicitly documented residual set)
without regressing the dashboard build or runtime behavior.
Approach is split into two phases because the fixes fall into two distinct
categories:
1. SemVer-compatible fixes (lockfile-only): transitives with patches inside the
currently declared SemVer ranges. Low risk, no package.json churn.
2. Major-version upgrades
(package.json changes): advisories whose patches only exist in a new major.
Higher risk — touches the Angular framework, the Angular build tooling, and the
deprecated Protractor subtree pulled in by @angular-devkit/build-angular.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
