Hi PJ, Thanks for reaching out and flagging these security issues. Seems like ASF does have a security guidelines <https://www.apache.org/security/committers.html>, one of which suggests to not expose the insecurity via GH issue/jira or direct PR. I do see that you have mentioned the security issue in the GH issue, do you mind changing the description to accommodate for the same? Or let me know if I am misinterpreting the guidelines.
Thanks again for flagging the issue, we will discuss internally and follow-up soon. Best Regards, Mayank On Wed, Apr 6, 2022 at 7:25 AM PJ Fanning <fannin...@apache.org> wrote: > Hi everyone, > I raised an issue about multiple insecure NPMs that are used in > pinot-controller. > > https://github.com/apache/pinot/issues/8476 > > I'm not a UI expert and not really a Pinot user, I'm just an ASF > member looking to get teams to upgrade their dependencies to improve > security. > > Would any of the Pinot contributors be in a position to try upgrades? > > This command can often do a lot of the work: > npm audit fix > > Regards, > PJ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org > For additional commands, e-mail: dev-h...@pinot.apache.org > >
