[
https://issues.apache.org/jira/browse/FLINK-39516?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martijn Visser closed FLINK-39516.
----------------------------------
Resolution: Duplicate
> [web dashboard] Address npm security advisories in flink-runtime-web
> web-dashboard
> -----------------------------------------------------------------------------------
>
> Key: FLINK-39516
> URL: https://issues.apache.org/jira/browse/FLINK-39516
> Project: Flink
> Issue Type: Technical Debt
> Components: Runtime / Web Frontend
> Reporter: Purushottam Sinha
> Priority: Minor
> Labels: pull-request-available
> Attachments: VULNERABILITIES.md
>
>
> {*}Description{*}:
> `npm audit` against flink-runtime-web/web-dashboard currently reports 55
> advisories (2 critical, 30 high, 17 moderate, 6 low). None are in
> runtime-shipped code — the dashboard is a static Angular SPA served by the
> JobManager — but the critical and high findings appear in GHAS/Dependabot
> scans and block clean audit reports for downstream consumers.
>
> *Goal:* Drive the advisory count to zero (or to an explicitly documented
> residual set) without regressing the dashboard build or runtime behavior.
> Approach is split into two phases because the fixes fall into two distinct
> categories:
> 1. SemVer-compatible fixes (lockfile-only): transitives with patches inside
> the currently declared SemVer ranges. Low risk, no package.json churn
> 2. Major-version upgrades (package.json changes): advisories whose patches
> only exist in a new major. Higher risk — touches the Angular framework, the
> Angular build tooling, and the deprecated Protractor subtree pulled in by
> @angular-devkit/build-angular.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)