[
https://issues.apache.org/jira/browse/NIFI-13956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895024#comment-17895024
]
Dimitri John Ledkov commented on NIFI-13956:
--------------------------------------------
I agree that dev dependencies do not matter.
I am testing the latest stable release, rather than master.
In rel/nifi-1.28.0 i see this:
```
xnox@chainguard:~/upstream/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend$
npm audit --omit dev
# npm audit report
angular *
Severity: high
angular vulnerable to regular expression denial of service (ReDoS) -
https://github.com/advisories/GHSA-m2h2-264f-f486
Angular (deprecated package) Cross-site Scripting -
https://github.com/advisories/GHSA-prc3-vjfx-vhm9
angular vulnerable to regular expression denial of service via the
angular.copy() utility - https://github.com/advisories/GHSA-2vrf-hf26-jrp5
angular vulnerable to regular expression denial of service via the $resource
service - https://github.com/advisories/GHSA-2qqx-w9hr-q5gx
angular vulnerable to regular expression denial of service via the <input
type="url"> element - https://github.com/advisories/GHSA-qwqh-hm9m-p5hr
angular vulnerable to super-linear runtime due to backtracking -
https://github.com/advisories/GHSA-4w4v-5hc9-xrr2
AngularJS allows attackers to bypass common image source restrictions -
https://github.com/advisories/GHSA-m9gf-397r-hwpg
AngularJS allows attackers to bypass common image source restrictions -
https://github.com/advisories/GHSA-mqm9-c95h-x2p6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/angular
angular-material >=1.1.25
Depends on vulnerable versions of angular
node_modules/angular-material
2 vulnerabilities (1 moderate, 1 high)
To address all issues (including breaking changes), run:
npm audit fix --force
```
and
```
xnox@chainguard:~/upstream/nifi/nifi-nar-bundles/nifi-standard-bundle/nifi-jolt-transform-json-ui/src/main/frontend$
npm audit --omit dev
# npm audit report
angular *
Severity: high
angular vulnerable to regular expression denial of service (ReDoS) -
https://github.com/advisories/GHSA-m2h2-264f-f486
Angular (deprecated package) Cross-site Scripting -
https://github.com/advisories/GHSA-prc3-vjfx-vhm9
angular vulnerable to regular expression denial of service via the
angular.copy() utility - https://github.com/advisories/GHSA-2vrf-hf26-jrp5
angular vulnerable to regular expression denial of service via the $resource
service - https://github.com/advisories/GHSA-2qqx-w9hr-q5gx
angular vulnerable to regular expression denial of service via the <input
type="url"> element - https://github.com/advisories/GHSA-qwqh-hm9m-p5hr
angular vulnerable to super-linear runtime due to backtracking -
https://github.com/advisories/GHSA-4w4v-5hc9-xrr2
AngularJS allows attackers to bypass common image source restrictions -
https://github.com/advisories/GHSA-m9gf-397r-hwpg
AngularJS allows attackers to bypass common image source restrictions -
https://github.com/advisories/GHSA-mqm9-c95h-x2p6
fix available via `npm audit fix`
node_modules/angular
1 high severity vulnerability
To address all issues, run:
npm audit fix
```
Are you able to upgrade the above and cut rel/nifi-1.28.1 release tag?
> Upgrade @angular-devkit/build-angular 18.2.11 or later
> ------------------------------------------------------
>
> Key: NIFI-13956
> URL: https://issues.apache.org/jira/browse/NIFI-13956
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core UI
> Affects Versions: 2.0.0-M4, 2.0.0
> Reporter: Dimitri John Ledkov
> Assignee: Matt Gilman
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Can you please upgrade angularjs to latest minor point release as well as
> http_proxy_middleware? Scanners are picking up that there are vulnerabilities.
>
> ```
> xnox@chainguard:/tmp/nifi/nifi-frontend/src/main/frontend$ npm audit
> # npm audit report
>
> http-proxy-middleware 3.0.0 - 3.0.2
> Severity: high
> Denial of service in http-proxy-middleware -
> https://github.com/advisories/GHSA-c7qv-q95q-8v27
> fix available via `npm audit fix --force`
> Will install @angular-devkit/[email protected], which is outside the
> stated dependency range
> node_modules/http-proxy-middleware
> @angular-devkit/build-angular 18.0.0-next.0 - 18.2.9 || 19.0.0-next.0 -
> 19.0.0-next.9
> Depends on vulnerable versions of http-proxy-middleware
> node_modules/@angular-devkit/build-angular
>
> 2 high severity vulnerabilities
>
> To address all issues, run:
> npm audit fix --force
> ```
>
> Note usually dependabot can help with these, and it is a good practice to run
> `npm audit` prior to cutting a release.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
