Purushottam Sinha created FLINK-39518: -----------------------------------------
Summary: Upgrade web-dashboard dependencies to resolve remaining
npm advisories
Key: FLINK-39518
URL: https://issues.apache.org/jira/browse/FLINK-39518
Project: Flink
Issue Type: Sub-task
Components: Runtime / Web Frontend
Reporter: Purushottam Sinha
Description:
After FLINK-XXXXX (SemVer-compatible audit fix), ~31 advisories will remain in
flink-runtime-web/web-dashboard — including two critical (form-data, request).
Their patched versions live outside the currently declared SemVer ranges, so
clearing them requires major-version upgrades to package.json.
The remaining advisories cluster into three dependency subtrees.
Address each as a separate PR so a build regression can be bisected:
1. Protractor subtree (critical + high + moderate)
Packages: form-data, request, qs, tough-cookie, xml2js, tmp,
selenium-webdriver, webdriver-manager, webdriver-js-extender.
Root cause: all pulled transitively via
@angular-devkit/build-angular → protractor. Protractor is
deprecated by Angular and unused in this project (no e2e/, no
protractor.conf, no e2e npm script).
Options to evaluate:
(a) Migrate the builder from @angular-devkit/build-angular to
@angular/build (modern esbuild pipeline), which drops the
entire subtree.
(b) Add `overrides` in package.json to patch the leaf libs
in place.
2. Angular framework (high)
Packages: @angular/{core, common, compiler, animations, forms,
platform-browser, platform-browser-dynamic, router}. All currently
on 20.1.x; patches live in 20.3.16+ or Angular 21. Bump the
@angular/* packages together with a matching @angular/cli and
compiler-cli bump.
3. Build tooling (high + moderate)
Packages: @angular-devkit/*, @angular/build, webpack, vite, rollup,
picomatch, serialize-javascript, copy-webpack-plugin, ajv. Moves
as a unit with the Angular CLI major bump.
Suggested sequence: (1) → (2) → (3).
Acceptance per PR:
- `npm audit` no longer reports advisories in that subtree
- `npm run build` and `npm run lint` pass
- Dashboard renders and exercises basic flows (job list, job detail,
task manager list) in a browser against a running JobManager
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
