[
https://issues.apache.org/jira/browse/TEZ-4436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568688#comment-17568688
]
PJ Fanning commented on TEZ-4436:
---------------------------------
I ran the security check with latest master branch. Unfortunately, github does
not let other users view the results. You could try enabling it on your fork of
Tez.
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
https://issues.apache.org/jira/browse/TEZ-4337 would be a good start but there
is probably more to do after that is merged.
> [TEZ-UI] uses many vulnerable libraries
> ---------------------------------------
>
> Key: TEZ-4436
> URL: https://issues.apache.org/jira/browse/TEZ-4436
> Project: Apache Tez
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> TEZ-4337 might help to start.
> I created a fork of tez in github and enabled dependabot (using security
> tab). Dozens of issues were found with NPMs that have known vulnerabilities.
> Examples:
> * https://github.com/advisories/GHSA-jf85-cpcp-j695 (loadash)
> * https://github.com/advisories/GHSA-765h-qjxv-5f44 (handlebars)
> * https://github.com/advisories/GHSA-wc69-rhjr-hc9g (moment)
> * https://github.com/advisories/GHSA-xvch-5gv4-984h (minimist)
> * https://github.com/advisories/GHSA-34r7-q49f-h37c (uglify-js)
> * many more
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
