yuriipalam commented on PR #6: URL: https://github.com/apache/phoenix-site/pull/6#issuecomment-4126726590
> Hi @yuriipalam, > > Thanks for this, looks nice already. > > I found some links in the generated PDF (https://phoenix-beta.staged.apache.org/books/apache-phoenix-reference-guide.pdf) whihc points to localhost (for example Download, Issues, Source but also link to FAQs, etc): > > <img alt="image" width="2000" height="1657" src="https://private-user-images.githubusercontent.com/1415396/568933012-9de1b84e-d34f-4335-bd35-2d25672d55a7.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzQ0MzU2OTksIm5iZiI6MTc3NDQzNTM5OSwicGF0aCI6Ii8xNDE1Mzk2LzU2ODkzMzAxMi05ZGUxYjg0ZS1kMzRmLTQzMzUtYmQzNS0yZDI1NjcyZDU1YTcucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI2MDMyNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjAzMjVUMTA0MzE5WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDUwZmNjNjc5YTRkZTc3YmJiNGFmYTgxMDM0MTI5ZmYzZjQxYjhhYjlkMWI2ZWM3NDAwY2FjZGEzNGI4NmRlYSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.JX4TtmGv_lwLC5mDLIGQ6eHle-D-WGmTsBNa1c3SEqw";> > Can you please check these? > > Besides npm audit reports quite some vulnerable dependencies. > > ``` > npm audit > # npm audit report > > ajv <6.14.0 || >=7.0.0-alpha.0 <8.18.0 > Severity: moderate > ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6 > ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6 > fix available via `npm audit fix` > node_modules/ajv > node_modules/serve/node_modules/ajv > serve 7.0.0 - 14.2.5 > Depends on vulnerable versions of ajv > Depends on vulnerable versions of serve-handler > node_modules/serve > > flatted <=3.4.1 > Severity: high > flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f > Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh > fix available via `npm audit fix` > node_modules/flatted > > minimatch <=3.1.3 || 9.0.0 - 9.0.6 > Severity: high > minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26 > minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26 > minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj > minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj > minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74 > minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74 > fix available via `npm audit fix` > node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch > node_modules/minimatch > serve-handler 1.1.0 - 6.1.6 > Depends on vulnerable versions of minimatch > node_modules/serve-handler > > rollup 4.0.0 - 4.58.0 > Severity: high > Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc > fix available via `npm audit fix` > node_modules/rollup > > tar <=7.5.10 > Severity: high > tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96 > node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256 > fix available via `npm audit fix` > node_modules/tar > > 7 vulnerabilities (1 moderate, 6 high) > > To address all issues, run: > npm audit fix > ``` > > It can be reduced with `npm audit fix` to one moderate. thanks David, I check if hbase has the same issue, and it does... Will fix now -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
![https://private-user-images.githubusercontent.com/1415396/568933012-9de1b84e-d34f-4335-bd35-2d25672d55a7.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzQ0MzU2OTksIm5iZiI6MTc3NDQzNTM5OSwicGF0aCI6Ii8xNDE1Mzk2LzU2ODkzMzAxMi05ZGUxYjg0ZS1kMzRmLTQzMzUtYmQzNS0yZDI1NjcyZDU1YTcucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI2MDMyNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjAzMjVUMTA0MzE5WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDUwZmNjNjc5YTRkZTc3YmJiNGFmYTgxMDM0MTI5ZmYzZjQxYjhhYjlkMWI2ZWM3NDAwY2FjZGEzNGI4NmRlYSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.JX4TtmGv_lwLC5mDLIGQ6eHle-D-WGmTsBNa1c3SEqw"](https://private-user-images.githubusercontent.com/1415396/568933012-9de1b84e-d34f-4335-bd35-2d25672d55a7.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzQ0MzU2OTksIm5iZiI6MTc3NDQzNTM5OSwicGF0aCI6Ii8xNDE1Mzk2LzU2ODkzMzAxMi05ZGUxYjg0ZS1kMzRmLTQzMzUtYmQzNS0yZDI1NjcyZDU1YTcucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI2MDMyNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjAzMjVUMTA0MzE5WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDUwZmNjNjc5YTRkZTc3YmJiNGFmYTgxMDM0MTI5ZmYzZjQxYjhhYjlkMWI2ZWM3NDAwY2FjZGEzNGI4NmRlYSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.JX4TtmGv_lwLC5mDLIGQ6eHle-D-WGmTsBNa1c3SEqw"){kind=link}