[ 
https://issues.apache.org/jira/browse/FLINK-39516?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martijn Visser closed FLINK-39516.
----------------------------------
    Resolution: Duplicate

>  [web dashboard] Address npm security advisories in flink-runtime-web 
> web-dashboard
> -----------------------------------------------------------------------------------
>
>                 Key: FLINK-39516
>                 URL: https://issues.apache.org/jira/browse/FLINK-39516
>             Project: Flink
>          Issue Type: Technical Debt
>          Components: Runtime / Web Frontend
>            Reporter: Purushottam Sinha
>            Priority: Minor
>              Labels: pull-request-available
>         Attachments: VULNERABILITIES.md
>
>
>  {*}Description{*}:
> `npm audit` against flink-runtime-web/web-dashboard currently reports 55 
> advisories (2 critical, 30 high, 17 moderate, 6 low). None are in 
> runtime-shipped code — the dashboard is a static Angular SPA served by the 
> JobManager — but the critical and high findings appear in GHAS/Dependabot 
> scans and block clean audit reports for downstream consumers.                 
>                                                      
> *Goal:* Drive the advisory count to zero (or to an explicitly documented 
> residual set) without regressing the dashboard build or runtime behavior.
> Approach is split into two phases because the fixes fall into two distinct 
> categories:
> 1. SemVer-compatible fixes (lockfile-only): transitives with patches inside 
> the currently declared SemVer ranges. Low risk, no package.json churn
> 2. Major-version upgrades (package.json changes): advisories whose patches 
> only exist in a new major. Higher risk — touches the Angular framework, the 
> Angular build tooling, and the deprecated Protractor subtree pulled in by 
> @angular-devkit/build-angular.   



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to