[
https://issues.apache.org/jira/browse/HBASE-29741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on HBASE-29741 started by Dávid Paksy.
-------------------------------------------
> Upgrade website npm dependencies to fix CVE-s
> ---------------------------------------------
>
> Key: HBASE-29741
> URL: https://issues.apache.org/jira/browse/HBASE-29741
> Project: HBase
> Issue Type: Task
> Components: security, website
> Reporter: Dávid Paksy
> Assignee: Dávid Paksy
> Priority: Major
>
> Since we merged the new HBase website
> (https://issues.apache.org/jira/browse/HBASE-29689) patch yesterday,
> Dependabot opened a couple of PR-s to update npm packages (dependencies)
> because of known CVE-s:
> [https://github.com/apache/hbase/pulls?q=sort%3Aupdated-desc+is%3Apr+is%3Aopen+author%3Aapp%2Fdependabot]
>
> * [glob CLI: Command injection via -c/--cmd executes matches with
> shell:true|https://github.com/apache/hbase/security/dependabot/108] HIGH
> * [mdast-util-to-hast has unsanitized class
> attribute|https://github.com/apache/hbase/security/dependabot/111] MODERATE
> * [node-tar has a race condition leading to uninitialized memory
> exposure|https://github.com/apache/hbase/security/dependabot/106] MODERATE
> * [vite allows server.fs.deny bypass via backslash on
> Windows|https://github.com/apache/hbase/security/dependabot/105] MODERATE
> * [js-yaml has prototype pollution in merge
> (<<)|https://github.com/apache/hbase/security/dependabot/107] MODERATE
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
