[jira] [Commented] (FLINK-39191) Upgrade monaco-editor to 0.55.1 to get rid of DOMPurify CVEs

Gyula Komlossi (Jira) Fri, 06 Mar 2026 07:58:06 -0800


    [ 
https://issues.apache.org/jira/browse/FLINK-39191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18063580#comment-18063580
 ]


Gyula Komlossi commented on FLINK-39191:
----------------------------------------

I've submitted a PR for this, if accepted, I'll backport it to other branches.

> Upgrade monaco-editor to 0.55.1 to get rid of DOMPurify CVEs
> ------------------------------------------------------------
>
>                 Key: FLINK-39191
>                 URL: https://issues.apache.org/jira/browse/FLINK-39191
>             Project: Flink
>          Issue Type: Bug
>            Reporter: Yaroslav
>            Priority: Major
>              Labels: pull-request-available
>
> Currently Flink uses monaco-editor of version 0.31.1, which seems to depend 
> on DOMPurify of version 2.3.1, which is vulnerable by CVE-2024-48910, 
> CVE-2024-45801, CVE-2024-47875 and CVE-2025-26791.
> The latest monaco-editor release, 0.55.1, uses DOMPurify of version 3.2.7, 
> which is not vulnerable by any of those CVEs.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (FLINK-39191) Upgrade monaco-editor to 0.55.1 to get rid of DOMPurify CVEs

Reply via email to