xiangfu0 opened a new pull request, #18013:
URL: https://github.com/apache/pinot/pull/18013
## Summary
- **lz4-java 1.8.0 → 1.8.1**: Fixes CVE-2025-12183 (out-of-bounds memory
operations causing DoS in LZ4 Java compression)
- **npm overrides in pinot-controller UI**: Resolves 6 Dependabot alerts by
adding version overrides to `package.json`:
- `underscore` 1.6.0 → 1.13.8 (fixes critical arbitrary code execution #47
and high DoS #334)
- `minimatch` 9.x → 9.0.7, 10.x → 10.2.3, 3.x → 3.1.5 (fixes ReDoS #330,
#332)
- `glob` 10.x → 10.5.0 (fixes command injection #294)
- `serialize-javascript` → 7.0.5 (fixes RCE and CPU exhaustion)
- `postcss` 8.x → 8.4.31 (fixes line return parsing error)
### Alerts dismissed (not actionable):
- **#209 (postcss)**: Installed version is 7.0.39, vulnerability only
affects v8.x — false positive
- **#300 (lz4-java info leak)**: No patched version exists; Pinot only
decompresses internally-created segment data, not untrusted input
- **#349 (plexus-utils)**: Build-tool transitive dependency only, not used
by Pinot code
- **#347, #333, #331, #316, #303**: All npm devDependencies with no
production exposure
## Test plan
- [ ] Verify Maven build succeeds with lz4-java 1.8.1
- [ ] Verify `npm install && npm run build` succeeds in
pinot-controller/src/main/resources/
- [ ] Run `npm audit` to confirm reduced vulnerability count
- [ ] Run existing unit tests for pinot-segment-local (LZ4 compression tests)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
