Jens Geyer created THRIFT-6019:
----------------------------------
Summary: Replace html-validator-cli with a maintained alternative
in root Node.js package
Key: THRIFT-6019
URL: https://issues.apache.org/jira/browse/THRIFT-6019
Project: Thrift
Issue Type: Dependency upgrade
Components: Node.js - Library
Reporter: Jens Geyer
The root package.json includes [email protected] as a devDependency.
This version depends on [email protected] which in turn depends on the
deprecated "request" library.
The "request" package has been deprecated since 2020 and carries CVE-2023-28155
(SSRF, MEDIUM). Its dependencies qs (CVE-2025-15284, DoS, MEDIUM) and
tough-cookie (CVE-2023-26136, Prototype Pollution, MEDIUM) are also flagged.
The html-validator package was rewritten in v6+ to use node-fetch instead of
request. The replacement should be evaluated and, if suitable, the dependency
updated. Alternatively, a different HTML validation tool could be adopted.
This eliminates the request/qs/tough-cookie vulnerability chain in the root
package-lock.json.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
