[jira] [Resolved] (THRIFT-6019) Replace html-validator-cli with a maintained alternative in root Node.js package

Jens Geyer (Jira) Wed, 20 May 2026 17:07:30 -0700


     [ 
https://issues.apache.org/jira/browse/THRIFT-6019?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jens Geyer resolved THRIFT-6019.
--------------------------------
    Fix Version/s: 0.24.0
       Resolution: Fixed

> Replace html-validator-cli with a maintained alternative in root Node.js 
> package
> --------------------------------------------------------------------------------
>
>                 Key: THRIFT-6019
>                 URL: https://issues.apache.org/jira/browse/THRIFT-6019
>             Project: Thrift
>          Issue Type: Dependency upgrade
>          Components: Node.js - Library
>            Reporter: Jens Geyer
>            Assignee: Jens Geyer
>            Priority: Minor
>             Fix For: 0.24.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The root package.json includes [email protected] as a devDependency. 
> This version depends on [email protected] which in turn depends on the 
> deprecated "request" library.
> The "request" package has been deprecated since 2020 and carries 
> CVE-2023-28155 (SSRF, MEDIUM). Its dependencies qs (CVE-2025-15284, DoS, 
> MEDIUM) and tough-cookie (CVE-2023-26136, Prototype Pollution, MEDIUM) are 
> also flagged.
> The html-validator package was rewritten in v6+ to use node-fetch instead of 
> request. The replacement should be evaluated and, if suitable, the dependency 
> updated. Alternatively, a different HTML validation tool could be adopted.
> This eliminates the request/qs/tough-cookie vulnerability chain in the root 
> package-lock.json.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (THRIFT-6019) Replace html-validator-cli with a maintained alternative in root Node.js package

Reply via email to