[
https://issues.apache.org/jira/browse/NIFI-13956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17894738#comment-17894738
]
Joe Witt commented on NIFI-13956:
---------------------------------
And it is a dev dependency. Not in the shipped product. It will get sorted in
due time
> JS dependencies have security vulnerabilities
> ----------------------------------------------
>
> Key: NIFI-13956
> URL: https://issues.apache.org/jira/browse/NIFI-13956
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 2.0.0-M4, 2.0.0
> Reporter: Dimitri John Ledkov
> Priority: Major
>
> Can you please upgrade angularjs to latest minor point release as well as
> http_proxy_middleware? Scanners are picking up that there are vulnerabilities.
>
> ```
> xnox@chainguard:/tmp/nifi/nifi-frontend/src/main/frontend$ npm audit
> # npm audit report
>
> http-proxy-middleware 3.0.0 - 3.0.2
> Severity: high
> Denial of service in http-proxy-middleware -
> https://github.com/advisories/GHSA-c7qv-q95q-8v27
> fix available via `npm audit fix --force`
> Will install @angular-devkit/[email protected], which is outside the
> stated dependency range
> node_modules/http-proxy-middleware
> @angular-devkit/build-angular 18.0.0-next.0 - 18.2.9 || 19.0.0-next.0 -
> 19.0.0-next.9
> Depends on vulnerable versions of http-proxy-middleware
> node_modules/@angular-devkit/build-angular
>
> 2 high severity vulnerabilities
>
> To address all issues, run:
> npm audit fix --force
> ```
>
> Note usually dependabot can help with these, and it is a good practice to run
> `npm audit` prior to cutting a release.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
