[jira] [Commented] (HBASE-29818) Bump React Router from 7.9.4 to fix 2 high, 2 meduim security vulnerabilities in hbase-website

Thu, 08 Jan 2026 23:40:06 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-29818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050798#comment-18050798
 ] 

Dávid Paksy commented on HBASE-29818:
-------------------------------------

npm audit also lists them:
{code:java}
$ npm audit
# npm audit report

react-router  7.0.0 - 7.12.0-pre.0
Severity: high
React Router has CSRF issue in Action/Server Action Request Processing - 
https://github.com/advisories/GHSA-h5cw-625j-3rxh
React Router vulnerable to XSS via Open Redirects - 
https://github.com/advisories/GHSA-2w69-qvjg-hvjx
React Router has unexpected external redirect via untrusted paths - 
https://github.com/advisories/GHSA-9jcx-v3wj-wh4m
React Router SSR XSS in ScrollRestoration - 
https://github.com/advisories/GHSA-8v8x-cx79-35w7
fix available via `npm audit fix`
node_modules/react-router
  @react-router/express  <=7.11.0
  Depends on vulnerable versions of @react-router/node
  Depends on vulnerable versions of react-router
  node_modules/@react-router/express
  @react-router/node  <=7.11.0
  Depends on vulnerable versions of react-router
  node_modules/@react-router/node
    @react-router/dev  <=7.11.0
    Depends on vulnerable versions of @react-router/node
    node_modules/@react-router/dev
  @react-router/serve  <=7.11.0
  Depends on vulnerable versions of @react-router/express
  Depends on vulnerable versions of @react-router/node
  Depends on vulnerable versions of react-router
  node_modules/@react-router/serve

5 vulnerabilities (4 moderate, 1 high)

To address all issues, run:
  npm audit fix
 {code}

> Bump React Router from 7.9.4 to fix 2 high, 2 meduim security vulnerabilities 
> in hbase-website
> ----------------------------------------------------------------------------------------------
>
>                 Key: HBASE-29818
>                 URL: https://issues.apache.org/jira/browse/HBASE-29818
>             Project: HBase
>          Issue Type: Task
>          Components: website
>            Reporter: Dávid Paksy
>            Assignee: Dávid Paksy
>            Priority: Major
>
> Dependabot reported 4 new security vulnerabilities (2 high, 2 medium) in 
> React Router which is used in hbase-website.
> [https://github.com/apache/hbase/security/dependabot/120]
> [https://github.com/apache/hbase/security/dependabot/121]
> [https://github.com/apache/hbase/security/dependabot/122]
> [https://github.com/apache/hbase/security/dependabot/119]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to