Thanks for the clarification, PJ. We will follow up on the GH issue.

Best
Mayank

> On Apr 11, 2022, at 2:53 PM, PJ Fanning <fannin...@apache.org> wrote:
> 
> Thanks Mayank. I do some work with the ASF Security team. Issues relating to 
> problematic dependencies are only regarded as private if there is a POC that 
> shows the issue has a direct impact on the project in question. This is not 
> the case here.
> 
> All the same, it is bad for the reputation of the ASF and its projects to 
> have projects that release with lib dependencies that have publicly known 
> vulnerabilities. `npm audit fix` will fix quite a few - it just takes someone 
> with experience verifying the UI afterwards. I am not a Pinot user so I feel 
> unqualified to do this bit. I would appeal to the Pinot community for someone 
> to update the dependencies to having malicious users come along and exploit 
> these issues.
> 
>> On 2022/04/07 13:28:06 Mayank Shrivastava wrote:
>> Hi PJ,
>> Thanks for reaching out and flagging these security issues. Seems like ASF
>> does have a security guidelines
>> <https://www.apache.org/security/committers.html>, one of which suggests to
>> not expose the insecurity via GH issue/jira or direct PR. I do see that you
>> have mentioned the security issue in the GH issue, do you mind changing the
>> description to accommodate for the same? Or let me know if I am
>> misinterpreting the guidelines.
>> 
>> Thanks again for flagging the issue, we will discuss internally and
>> follow-up soon.
>> 
>> Best Regards,
>> Mayank
>> 
>>> On Wed, Apr 6, 2022 at 7:25 AM PJ Fanning <fannin...@apache.org> wrote:
>>> 
>>> Hi everyone,
>>> I raised an issue about multiple insecure NPMs that are used in
>>> pinot-controller.
>>> 
>>> https://github.com/apache/pinot/issues/8476
>>> 
>>> I'm not a UI expert and not really a Pinot user, I'm just an ASF
>>> member looking to get teams to upgrade their dependencies to improve
>>> security.
>>> 
>>> Would any of the Pinot contributors be in a position to try upgrades?
>>> 
>>> This command can often do a lot of the work:
>>> npm audit fix
>>> 
>>> Regards,
>>> PJ
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org
>>> For additional commands, e-mail: dev-h...@pinot.apache.org
>>> 
>>> 
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org
> For additional commands, e-mail: dev-h...@pinot.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org
For additional commands, e-mail: dev-h...@pinot.apache.org

Reply via email to