Jens Geyer created THRIFT-6018:
----------------------------------
Summary: Remove phantom and phantomjs-prebuilt from lib/ts
devDependencies
Key: THRIFT-6018
URL: https://issues.apache.org/jira/browse/THRIFT-6018
Project: Thrift
Issue Type: Dependency upgrade
Components: TypeScript - Library
Reporter: Jens Geyer
lib/ts/package.json includes phantom@6 and [email protected] as
devDependencies for browser-based test execution. PhantomJS development was
suspended in 2018 and no further maintenance is expected.
These packages transitively bring in the deprecated "request" library
(CVE-2023-28155, SSRF, MEDIUM) and its dependencies qs (CVE-2025-15284, DoS,
MEDIUM) and tough-cookie (CVE-2023-26136, Prototype Pollution, MEDIUM).
The fix is to remove phantom and phantomjs-prebuilt from lib/ts devDependencies
and migrate any browser tests that currently invoke PhantomJS to a maintained
headless browser driver (e.g. Puppeteer or Playwright) or to a Node.js-only
test approach that does not require a headless browser.
This change is a prerequisite for fully eliminating the request/qs/tough-cookie
vulnerability chain in lib/ts.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
