[
https://issues.apache.org/jira/browse/THRIFT-6020?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer resolved THRIFT-6020.
--------------------------------
Fix Version/s: 0.24.0
Assignee: Jens Geyer
Resolution: Fixed
> Address remaining npm transitive dependency vulnerabilities via audit fix
> (minimatch, elliptic, lodash)
> -------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-6020
> URL: https://issues.apache.org/jira/browse/THRIFT-6020
> Project: Thrift
> Issue Type: Dependency upgrade
> Components: JavaScript - Library, Node.js - Library, TypeScript -
> Library
> Reporter: Jens Geyer
> Assignee: Jens Geyer
> Priority: Minor
> Fix For: 0.24.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> After THRIFT-6016/6017/6018/6019 are resolved, a set of residual transitive
> dependency vulnerabilities remain across lib/js, lib/ts, and the root Node.js
> package:
> - [email protected] (CVE-2026-27903, ReDoS, HIGH): pulled in by [email protected] and
> browserify via glob. Upgrading grunt to 1.6+ or running npm audit fix should
> pull in a patched version.
> - [email protected] (CVE-2025-14505, LOW): pulled in by browserify-sign and
> create-ecdh (browserify transitive). npm audit fix should be sufficient.
> - lodash remaining after THRIFT-6017: any lodash usage not eliminated by the
> jsdoc upgrade should be addressed by updating the grunt plugins that depend
> on it (grunt-legacy-util, grunt-legacy-log, grunt-contrib-uglify 5.x).
> The fix for this ticket is to run "npm audit fix" in each of lib/js, lib/ts,
> and the root directory after the prerequisite tickets are resolved, verify
> that the lock files are updated, and commit the results.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
