spuru9 commented on PR #27997: URL: https://github.com/apache/flink/pull/27997#issuecomment-4298824466
As part of [FLINK-39517](https://issues.apache.org/jira/browse/FLINK-39517) ### Framework & Core Tooling | Package | Version Upgrade | Primary Vulnerabilities Resolved | Advisory URLs | | :--- | :--- | :--- | :--- | | `@angular/common` | `20.1.3` → `20.3.19` | XSRF Token Leakage | [GHSA-58c5-g7wp-6w37](https://github.com/advisories/GHSA-58c5-g7wp-6w37) | | `@angular/compiler` | `20.1.3` → `20.3.19` | Stored XSS via SVG/MathML, i18n ICU messages | [GHSA-v4hv-rgfq-gp49](https://github.com/advisories/GHSA-v4hv-rgfq-gp49), [GHSA-jrmj-c5cx-3cw6](https://github.com/advisories/GHSA-jrmj-c5cx-3cw6), [GHSA-prjf-86w9-mfqv](https://github.com/advisories/GHSA-prjf-86w9-mfqv) | | `@angular/core` | `20.1.3` → `20.3.19` | Dependency on vulnerable `@angular/compiler` | [GHSA-g93w-mfhg-p222](https://github.com/advisories/GHSA-g93w-mfhg-p222) | | `@angular/cli` | `20.1.3` → `20.3.24` | Cumulative security patches for build pipeline | N/A | ### Critical & High Transitive Dependencies These were resolved by upgrading core dev-dependencies and removing deprecated subtrees. | Transitive Package | Version Upgrade | Vulnerability | Severity | Advisory URL | | :--- | :--- | :--- | :--- | :--- | | `form-data` | `<2.5.4` → `3.0.1+` | Unsafe Random (Boundary Choice) | **Critical** | [GHSA-fjxv-7rqg-78g4](https://github.com/advisories/GHSA-fjxv-7rqg-78g4) | | `request` | `*` → **Removed** | Server-Side Request Forgery (SSRF) | **Critical** | [GHSA-p8p7-x288-28g6](https://github.com/advisories/GHSA-p8p7-x288-28g6) | | `serialize-javascript`| `7.0.4` → `7.0.6` | Remote Code Execution (RCE) / DoS | High | [GHSA-5c6j-r48x-rmvq](https://github.com/advisories/GHSA-5c6j-r48x-rmvq) | | `vite` | `7.3.1` → `7.3.4` | Path Traversal / Arbitrary File Read | High | [GHSA-p9ff-h696-f583](https://github.com/advisories/GHSA-p9ff-h696-f583) | | `rollup` | `4.58.0` → `4.59.1` | Path Traversal / Arbitrary File Write | High | [GHSA-mw96-cpmx-2vgc](https://github.com/advisories/GHSA-mw96-cpmx-2vgc) | | `picomatch` | `4.0.3` → `5.0.1` | ReDoS / Method Injection | High | [GHSA-3v7f-55p6-f55p](https://github.com/advisories/GHSA-3v7f-55p6-f55p) | | `ajv` | `8.17.1` → `8.18.0` | Regular Expression Denial of Service | Moderate | [GHSA-2g4f-4pwh-qvx6](https://github.com/advisories/GHSA-2g4f-4pwh-qvx6) | | `qs` | `6.14.1` → `6.15.0` | Memory Exhaustion (DoS) | Moderate | [GHSA-6rw7-vpxm-498p](https://github.com/advisories/GHSA-6rw7-vpxm-498p) | | `tough-cookie` | `4.1.2` → `4.1.3` | Prototype Pollution | Moderate | [GHSA-72xf-g2v4-qvf3](https://github.com/advisories/GHSA-72xf-g2v4-qvf3) | | `xml2js` | `0.4.23` → `0.5.0` | Prototype Pollution | Moderate | [GHSA-776f-qx25-q3cc](https://github.com/advisories/GHSA-776f-qx25-q3cc) | | `webpack` | `5.104.0` → `5.105.0`| SSRF via `allowedUris` bypass | Low | [GHSA-8fgc-7cc6-rx7x](https://github.com/advisories/GHSA-8fgc-7cc6-rx7x) | | `tmp` | `0.2.3` → `0.2.4` | Arbitrary File/Directory Write | Low | [GHSA-52f5-9888-hmc6](https://github.com/advisories/GHSA-52f5-9888-hmc6) | ### Removed Deprecated Dependencies The following packages were removed from the dependency tree (primarily the `protractor` subtree) to eliminate associated security risks: | Package | Severity | Reason for Removal | | :--- | :--- | :--- | | `protractor` | Moderate | Deprecated testing framework; replaced by modern CLI defaults | | `webdriver-manager` | Moderate | Support package for Protractor; contains `xml2js` vulnerability | | `selenium-webdriver` | Moderate | Support package for Protractor; contains `tmp` vulnerability | | `webdriver-js-extender`| Low | Support package for Protractor | | `request` | Critical | Deprecated HTTP client; contains SSRF vulnerability | | `ajv` | Regular Expression Denial of Service | Moderate | [GHSA-2g4f-4pwh-qvx6](https://github.com/advisories/GHSA-2g4f-4pwh-qvx6) | | `qs` | Memory Exhaustion (DoS) | Moderate | [GHSA-6rw7-vpxm-498p](https://github.com/advisories/GHSA-6rw7-vpxm-498p) | | `tough-cookie` | Prototype Pollution | Moderate | [GHSA-72xf-g2v4-qvf3](https://github.com/advisories/GHSA-72xf-g2v4-qvf3) | | `xml2js` | Prototype Pollution | Moderate | [GHSA-776f-qx25-q3cc](https://github.com/advisories/GHSA-776f-qx25-q3cc) | | `webpack` | SSRF via `allowedUris` bypass | Low | [GHSA-8fgc-7cc6-rx7x](https://github.com/advisories/GHSA-8fgc-7cc6-rx7x) | | `tmp` | Arbitrary File/Directory Write | Low | [GHSA-52f5-9888-hmc6](https://github.com/advisories/GHSA-52f5-9888-hmc6) | ## Wanted Version Updates & Alignment These packages were updated to their "Wanted" versions to ensure compatibility with the new Angular version and maintain build tool stability. | Package | From | To | Reason | | :--- | :--- | :--- | :--- | | `prettier` | `^2.4.1` | `^2.8.8` | Alignment with new Angular CLI and linting plugins | | `ng-zorro-antd` | `^20.1.0` | `^20.4.4` | Compatibility with Angular 20.3+ | | `@angular-eslint/*` (all) | `20.1.1` | `20.7.0` | Alignment with Angular CLI and ESLint updates | | `@typescript-eslint/*` | `^8.37.0` | `^8.59.0` | Wanted version for improved TypeScript 5.8 support | | `@antv/g2` | `^4.1.34` | `^4.2.12` | General stability and bug fixes | | `core-js` | `^3.39.0` | `^3.49.0` | Polyfill stability and updated browser compatibility | | `d3` | `^7.1.1` | `^7.9.0` | Performance and API stability | | `eslint-plugin-import` | `^2.25.4` | `^2.32.0` | Compatibility with updated ESLint engine | | `eslint-plugin-jsdoc` | `^50.6.0` | `^50.8.0` | Compatibility with updated ESLint engine | | `eslint-plugin-prettier` | `^4.0.0` | `^4.2.5` | Alignment with Prettier 2.8.8 | | `eslint-plugin-unused-imports`| `^4.1.4` | `^4.4.1` | Bug fixes and compatibility | | `@types/*` (node, d3, etc.) | (various) | (latest) | Typing alignment for updated library versions | | `ts-node` | `^10.4.0` | `^10.9.2` | Stability for dev-server and build scripts | -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
