Nihal Jain created HBASE-28921:
----------------------------------
Summary: Skip bundling hbase-webapps folder in jars
Key: HBASE-28921
URL: https://issues.apache.org/jira/browse/HBASE-28921
Project: HBase
Issue Type: Improvement
Components: security, UI
Reporter: Nihal Jain
Assignee: Nihal Jain
Bootstrap 3.4.1 was released in 13 Feb, 2019 and there has been no new 3.x
release since then. This version of bootstrap has multiple medium CVEs reported
recently.
See [https://security.snyk.io/package/npm/bootstrap/3.4.1] for details.
CVE List:
* [https://www.cve.org/CVERecord?id=CVE-2024-6484]
* [https://www.cve.org/CVERecord?id=CVE-2024-6485]
Related Github Issue/Advisory:
* [https://github.com/twbs/bootstrap/issues/40692]
* [https://github.com/advisories/GHSA-9mvj-f7w8-pvh2]
Based on synk.io the only non-vulnerable version seems to be in 5.x line.
Upgrading from 3.x to 4.x itself would be substantial work. So may be we would
have to move step by step i.e. migrate from 3.x to 4.x and then 4.x to 5.x.
This JIRA is to capture all sub-task needed to achieve same.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
