Wilfred Spiegelenburg created YUNIKORN-3198:
-----------------------------------------------
Summary: CVE: update dependencies for site build
Key: YUNIKORN-3198
URL: https://issues.apache.org/jira/browse/YUNIKORN-3198
Project: Apache YuniKorn
Issue Type: Task
Components: website
Reporter: Wilfred Spiegelenburg
dependabot has opened a number of issues against the website dependencies:
* #58 [pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by
default"|https://github.com/apache/yunikorn-site/security/dependabot/58] High
* #56 [qs's arrayLimit bypass in its bracket notation allows DoS via memory
exhaustion|https://github.com/apache/yunikorn-site/security/dependabot/56] High
* #57 [pnpm vulnerable to Command Injection via environment variable
substitution|https://github.com/apache/yunikorn-site/security/dependabot/57]
High
* #59 [pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic
Dependencies|https://github.com/apache/yunikorn-site/security/dependabot/59]
High
* #60 [Preact has JSON VNode Injection
issue|https://github.com/apache/yunikorn-site/security/dependabot/60] High
* #61 [Undici has an unbounded decompression chain in HTTP responses on
Node.js Fetch API via Content-Encoding leads to resource
exhaustion|https://github.com/apache/yunikorn-site/security/dependabot/61] Low
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
