[jira] [Commented] (YARN-11109) many UI NPMs have published vulnerabilities

Tue, 30 Sep 2025 09:41:08 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-11109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18023854#comment-18023854
 ] 

Michael Smith commented on YARN-11109:
--------------------------------------

Also bad: hadoop-yarn-applications-catalog-webapp does not include a yarn.lock. 
So dependencies are unpinned, leaving it open to supply-chain attacks.

> many UI NPMs have published vulnerabilities
> -------------------------------------------
>
>                 Key: YARN-11109
>                 URL: https://issues.apache.org/jira/browse/YARN-11109
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn-ui-v2
>            Reporter: PJ Fanning
>            Priority: Major
>
> mainly associated with 
> hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/yarn.lock
>  
> dependabot reports issues in github forks but doesn't allow other users to 
> see them - to see same results that I see, fork hadoop, go into security tab 
> and enable Dependabot alerts (see 
> https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
>  
> a brief summary of NPMs being reported
>  * lodash (critical cve) https://github.com/advisories/GHSA-jf85-cpcp-j695
>  * lodash.merge (critical cve)
>  * loadsh-es (critical cve)
>  * minimist (critical cve)
>  * cryptiles (critical cve) https://github.com/advisories/GHSA-rq8g-5pc5-wrhr
>  * ansi-regex
>  * follow-redirects
>  * ajv
>  * handlebars (critical cve)
>  * xmlhttprequest-ssl (critical cve)
>  * chownr
>  * node-sass
>  * mout
>  * shelljs
>  * xmldom
>  * markdown-it
>  * json-schema 
>  * jsonpointer
>  * tmpl
>  * tar
>  * path-parse
>  * socket.io-parser
>  * trim-newlines
>  * glob-parent 
>  * minimatch
>  * tough-cookie
>  * others with lower risks
>  
> hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json
> * also has issues - notably with an old version of angular



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to