xiangfu0 opened a new pull request, #18014: URL: https://github.com/apache/pinot/pull/18014
## Summary Use npm overrides to force secure versions of transitive dependencies whose parent packages pin vulnerable version ranges. npm overrides are the official npm mechanism for this — they tell the package manager to substitute a specific version whenever a transitive dependency resolves to a vulnerable range, without requiring upstream packages to publish new releases. Also adds minimatch as a direct devDependency at 10.2.3 and removes the deprecated @types/minimatch stub package. ### Resolved Dependabot alerts: - **#47** underscore arbitrary code execution (critical): 1.6.0 → 1.13.8 - **#334** underscore DoS via recursion (high): 1.6.0 → 1.13.8 - **#294** glob command injection (high): 10.4.5 → 10.5.0 - **#330** minimatch ReDoS (high): 10.0.3 → 10.2.3 - **#332** minimatch ReDoS (high): 3.1.2 → 3.1.5, 9.0.3 → 9.0.7 - serialize-javascript RCE/DoS: 4.0.0 → 7.0.5 ## Test plan - [ ] Verify succeeds in pinot-controller/src/main/resources/ - [ ] Run found 0 vulnerabilities to confirm the targeted alerts are resolved - [ ] Verify the Controller UI loads correctly after rebuild 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
