[
https://issues.apache.org/jira/browse/THRIFT-6018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer resolved THRIFT-6018.
--------------------------------
Fix Version/s: 0.24.0
Assignee: Jens Geyer
Resolution: Fixed
> Remove phantom and phantomjs-prebuilt from lib/ts devDependencies
> -----------------------------------------------------------------
>
> Key: THRIFT-6018
> URL: https://issues.apache.org/jira/browse/THRIFT-6018
> Project: Thrift
> Issue Type: Dependency upgrade
> Components: TypeScript - Library
> Reporter: Jens Geyer
> Assignee: Jens Geyer
> Priority: Major
> Fix For: 0.24.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> lib/ts/package.json includes phantom@6 and [email protected] as
> devDependencies for browser-based test execution. PhantomJS development was
> suspended in 2018 and no further maintenance is expected.
> These packages transitively bring in the deprecated "request" library
> (CVE-2023-28155, SSRF, MEDIUM) and its dependencies qs (CVE-2025-15284, DoS,
> MEDIUM) and tough-cookie (CVE-2023-26136, Prototype Pollution, MEDIUM).
> The fix is to remove phantom and phantomjs-prebuilt from lib/ts
> devDependencies and migrate any browser tests that currently invoke PhantomJS
> to a maintained headless browser driver (e.g. Puppeteer or Playwright) or to
> a Node.js-only test approach that does not require a headless browser.
> This change is a prerequisite for fully eliminating the
> request/qs/tough-cookie vulnerability chain in lib/ts.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
