rfellows opened a new pull request, #10762: URL: https://github.com/apache/nifi/pull/10762
# NIFI-15459 Addresses high-severity XSS vulnerability in Angular's SVG script attribute sanitization. Changes: - Updated @angular/* packages from 20.3.15 to 20.3.16 (security patch) - Regenerated package-lock.json with updated dependency tree Verification: - Build completes successfully - All 271 test suites pass (1,303 tests total) - npm audit: 0 vulnerabilities - No regressions detected Vulnerability Details: - CVE-2026-22610 (GHSA-jrmj-c5cx-3cw6) - Affects: Angular 20.0.0-next.0 through 20.3.15 - Issue: SVG script href/xlink:href attributes not recognized as Resource URL contexts - Fixed in: Angular 20.3.16 References: - https://github.com/advisories/GHSA-jrmj-c5cx-3cw6 - https://osv.dev/vulnerability/GHSA-jrmj-c5cx-3cw6 - https://github.com/apache/nifi/security/dependabot/518 - https://github.com/apache/nifi/security/dependabot/516 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
