Thanks for the clarification, PJ. We will follow up on the GH issue. Best Mayank
> On Apr 11, 2022, at 2:53 PM, PJ Fanning <fannin...@apache.org> wrote: > > Thanks Mayank. I do some work with the ASF Security team. Issues relating to > problematic dependencies are only regarded as private if there is a POC that > shows the issue has a direct impact on the project in question. This is not > the case here. > > All the same, it is bad for the reputation of the ASF and its projects to > have projects that release with lib dependencies that have publicly known > vulnerabilities. `npm audit fix` will fix quite a few - it just takes someone > with experience verifying the UI afterwards. I am not a Pinot user so I feel > unqualified to do this bit. I would appeal to the Pinot community for someone > to update the dependencies to having malicious users come along and exploit > these issues. > >> On 2022/04/07 13:28:06 Mayank Shrivastava wrote: >> Hi PJ, >> Thanks for reaching out and flagging these security issues. Seems like ASF >> does have a security guidelines >> <https://www.apache.org/security/committers.html>, one of which suggests to >> not expose the insecurity via GH issue/jira or direct PR. I do see that you >> have mentioned the security issue in the GH issue, do you mind changing the >> description to accommodate for the same? Or let me know if I am >> misinterpreting the guidelines. >> >> Thanks again for flagging the issue, we will discuss internally and >> follow-up soon. >> >> Best Regards, >> Mayank >> >>> On Wed, Apr 6, 2022 at 7:25 AM PJ Fanning <fannin...@apache.org> wrote: >>> >>> Hi everyone, >>> I raised an issue about multiple insecure NPMs that are used in >>> pinot-controller. >>> >>> https://github.com/apache/pinot/issues/8476 >>> >>> I'm not a UI expert and not really a Pinot user, I'm just an ASF >>> member looking to get teams to upgrade their dependencies to improve >>> security. >>> >>> Would any of the Pinot contributors be in a position to try upgrades? >>> >>> This command can often do a lot of the work: >>> npm audit fix >>> >>> Regards, >>> PJ >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org >>> For additional commands, e-mail: dev-h...@pinot.apache.org >>> >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org > For additional commands, e-mail: dev-h...@pinot.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pinot.apache.org For additional commands, e-mail: dev-h...@pinot.apache.org