Jens Geyer created THRIFT-6020:
----------------------------------
Summary: Address remaining npm transitive dependency
vulnerabilities via audit fix (minimatch, elliptic, lodash)
Key: THRIFT-6020
URL: https://issues.apache.org/jira/browse/THRIFT-6020
Project: Thrift
Issue Type: Dependency upgrade
Components: JavaScript - Library, TypeScript - Library, Node.js -
Library
Reporter: Jens Geyer
After THRIFT-6016/6017/6018/6019 are resolved, a set of residual transitive
dependency vulnerabilities remain across lib/js, lib/ts, and the root Node.js
package:
- [email protected] (CVE-2026-27903, ReDoS, HIGH): pulled in by [email protected] and
browserify via glob. Upgrading grunt to 1.6+ or running npm audit fix should
pull in a patched version.
- [email protected] (CVE-2025-14505, LOW): pulled in by browserify-sign and
create-ecdh (browserify transitive). npm audit fix should be sufficient.
- lodash remaining after THRIFT-6017: any lodash usage not eliminated by the
jsdoc upgrade should be addressed by updating the grunt plugins that depend on
it (grunt-legacy-util, grunt-legacy-log, grunt-contrib-uglify 5.x).
The fix for this ticket is to run "npm audit fix" in each of lib/js, lib/ts,
and the root directory after the prerequisite tickets are resolved, verify that
the lock files are updated, and commit the results.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
