Thanks Mayank. I do some work with the ASF Security team. Issues relating to problematic dependencies are only regarded as private if there is a POC that shows the issue has a direct impact on the project in question. This is not the case here.
All the same, it is bad for the reputation of the ASF and its projects to have projects that release with lib dependencies that have publicly known vulnerabilities. `npm audit fix` will fix quite a few - it just takes someone with experience verifying the UI afterwards. I am not a Pinot user so I feel unqualified to do this bit. I would appeal to the Pinot community for someone to update the dependencies to having malicious users come along and exploit these issues. On 2022/04/07 13:28:06 Mayank Shrivastava wrote: > Hi PJ, > Thanks for reaching out and flagging these security issues. Seems like ASF > does have a security guidelines > <https://www.apache.org/security/committers.html>, one of which suggests to > not expose the insecurity via GH issue/jira or direct PR. I do see that you > have mentioned the security issue in the GH issue, do you mind changing the > description to accommodate for the same? Or let me know if I am > misinterpreting the guidelines. > > Thanks again for flagging the issue, we will discuss internally and > follow-up soon. > > Best Regards, > Mayank > > On Wed, Apr 6, 2022 at 7:25 AM PJ Fanning <fannin...@apache.org> wrote: > > > Hi everyone, > > I raised an issue about multiple insecure NPMs that are used in > > pinot-controller. > > > > https://github.com/apache/pinot/issues/8476 > > > > I'm not a UI expert and not really a Pinot user, I'm just an ASF > > member looking to get teams to upgrade their dependencies to improve > > security. > > > > Would any of the Pinot contributors be in a position to try upgrades? > > > > This command can often do a lot of the work: > > npm audit fix > > > > Regards, > > PJ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org > > For additional commands, e-mail: dev-h...@pinot.apache.org > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org For additional commands, e-mail: dev-h...@pinot.apache.org
