rfellows opened a new pull request, #10989: URL: https://github.com/apache/nifi/pull/10989
…s (angular i18n xss, rollup, serialize-javascript, minimatch) # Summary [NIFI-15691](https://issues.apache.org/jira/browse/NIFI-15691) Here's a PR description that follows the NiFi project's conventions: --- **Title:** NIFI-15691 - Address various javascript/typescript dependabot findings (angular i18n xss, rollup, serialize-javascript, minimatch) **Description:** ## Summary Addresses 26 high-severity npm audit vulnerabilities in `nifi-frontend` by bumping Angular packages from 20.3.16 to 20.3.17 and adding targeted npm overrides for transitive dependencies (`rollup`, `serialize-javascript`, `minimatch`). After these changes, all high-severity findings are resolved, leaving only 5 pre-existing low-severity issues that require a breaking major version upgrade to `jest-preset-angular` and are deferred. ## Security Advisories Addressed | Dependabot | GHSA ID | CVE | npm Package | Description | Severity | |---|---|---|---|---| | https://github.com/apache/nifi/security/dependabot/581 | [GHSA-prjf-86w9-mfqv](https://github.com/advisories/GHSA-prjf-86w9-mfqv) | CVE-2026-27970 | `@angular/core` | Angular i18n vulnerable to Cross-Site Scripting | HIGH | | https://github.com/apache/nifi/security/dependabot/568 | [GHSA-mw96-cpmx-2vgc](https://github.com/advisories/GHSA-mw96-cpmx-2vgc) | CVE-2026-27606 | `rollup` | Rollup 4 Arbitrary File Write via Path Traversal | HIGH | | https://github.com/apache/nifi/security/dependabot/582 | [GHSA-5c6j-r48x-rmvq](https://github.com/advisories/GHSA-5c6j-r48x-rmvq) | *(pending)* | `serialize-javascript` | RCE via `RegExp.flags` and `Date.prototype.toISOString()` | HIGH | | https://github.com/apache/nifi/security/dependabot/567 | [GHSA-3ppc-4f35-3m26](https://github.com/advisories/GHSA-3ppc-4f35-3m26) | CVE-2026-26996 | `minimatch` | ReDoS via repeated wildcards with non-matching literal | HIGH | | https://github.com/apache/nifi/security/dependabot/572 | [GHSA-7r86-cg39-jmmj](https://github.com/advisories/GHSA-7r86-cg39-jmmj) | CVE-2026-27903 | `minimatch` | ReDoS: `matchOne()` combinatorial backtracking via GLOBSTAR | HIGH | | https://github.com/apache/nifi/security/dependabot/573 | [GHSA-23c5-xmqv-rm74](https://github.com/advisories/GHSA-23c5-xmqv-rm74) | CVE-2026-27904 | `minimatch` | ReDoS: nested `*()` extglobs catastrophic backtracking | HIGH | ## What's Changed - **Angular patch bump (20.3.16 → 20.3.17):** Updated `@angular/animations`, `@angular/common`, `@angular/compiler`, `@angular/core`, `@angular/forms`, `@angular/platform-browser`, `@angular/platform-browser-dynamic`, `@angular/router`, and `@angular/compiler-cli` to address CVE-2026-27970 (XSS in i18n). - **npm override for `rollup` (4.52.3 → >=4.59.0):** Forces resolution of `rollup` to a patched version, fixing the path traversal file write vulnerability in the transitive dependency pulled in by `@angular/build` and `ng-packagr`. - **npm override for `serialize-javascript` (6.0.2 → >=7.0.3):** Forces resolution to a patched version, addressing the RCE vulnerability in the transitive dependency pulled in by `copy-webpack-plugin` and `css-minimizer-webpack-plugin`. - **npm overrides for `minimatch`:** Targeted overrides to resolve three separate ReDoS CVEs: - `@humanwhocodes/config-array` → `[email protected]` (was 3.1.3) - `nx`, `@nx/devkit`, `@nx/jest` → `[email protected]` (was 9.0.3) ## Audit Results - **Before:** 31 vulnerabilities (5 low, 26 high) - **After:** 5 vulnerabilities (5 low, 0 high) The remaining 5 low-severity issues stem from `@tootallnate/once` in the `jest-preset-angular` → `jest-environment-jsdom` → `jsdom` → `http-proxy-agent` chain. Resolving these requires upgrading `jest-preset-angular` from 14.x to 16.x (a breaking change) and is deferred to a separate effort. ## Testing - Verified `npm audit` reports 0 high-severity vulnerabilities after changes - Clean `npm install` with no peer dependency conflicts -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
