[
https://issues.apache.org/jira/browse/THRIFT-6019?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer reassigned THRIFT-6019:
----------------------------------
Assignee: Jens Geyer
> Replace html-validator-cli with a maintained alternative in root Node.js
> package
> --------------------------------------------------------------------------------
>
> Key: THRIFT-6019
> URL: https://issues.apache.org/jira/browse/THRIFT-6019
> Project: Thrift
> Issue Type: Dependency upgrade
> Components: Node.js - Library
> Reporter: Jens Geyer
> Assignee: Jens Geyer
> Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The root package.json includes [email protected] as a devDependency.
> This version depends on [email protected] which in turn depends on the
> deprecated "request" library.
> The "request" package has been deprecated since 2020 and carries
> CVE-2023-28155 (SSRF, MEDIUM). Its dependencies qs (CVE-2025-15284, DoS,
> MEDIUM) and tough-cookie (CVE-2023-26136, Prototype Pollution, MEDIUM) are
> also flagged.
> The html-validator package was rewritten in v6+ to use node-fetch instead of
> request. The replacement should be evaluated and, if suitable, the dependency
> updated. Alternatively, a different HTML validation tool could be adopted.
> This eliminates the request/qs/tough-cookie vulnerability chain in the root
> package-lock.json.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
