Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-11109

many UI NPMs have published vulnerabilities

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • yarn-ui-v2
    • None

    Description

      mainly associated with hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/yarn.lock

       

      dependabot reports issues in github forks but doesn't allow other users to see them - to see same results that I see, fork hadoop, go into security tab and enable Dependabot alerts (see https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)

       

      a brief summary of NPMs being reported

      • lodash (critical cve) https://github.com/advisories/GHSA-jf85-cpcp-j695
      • lodash.merge (critical cve)
      • loadsh-es (critical cve)
      • minimist (critical cve)
      • cryptiles (critical cve) https://github.com/advisories/GHSA-rq8g-5pc5-wrhr
      • ansi-regex
      • follow-redirects
      • ajv
      • handlebars (critical cve)
      • xmlhttprequest-ssl (critical cve)
      • chownr
      • node-sass
      • mout
      • shelljs
      • xmldom
      • markdown-it
      • json-schema 
      • jsonpointer
      • tmpl
      • tar
      • path-parse
      • socket.io-parser
      • trim-newlines
      • glob-parent 
      • minimatch
      • tough-cookie
      • others with lower risks

       

      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json

      • also has issues - notably with an old version of angular

      Attachments

        Activity

          People

            Unassigned Unassigned
            pj.fanning PJ Fanning
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: