[FLINK-39516][web dashboard] Address npm security advisories in flink-runtime-web web-dashboard

[spuru9]

What is the purpose of the change

The purpose of this pull request is to address multiple npm security advisories in the flink-runtime-web's web-dashboard. This is achieved by upgrading several dependencies to their latest secure versions, including a major upgrade of the Angular framework and related libraries.

Brief change log

• Upgraded Angular and related @angular/* packages from 18.x to 20.1.3.
• Updated package-lock.json to resolve numerous SemVer-compatible and major security advisories.
• Comprehensively updated the flink-runtime-web/src/main/resources/META-INF/NOTICE file to reflect the new dependency versions and added/removed packages.

Verifying this change

This change is primarily a dependency upgrade to resolve security issues. It can be verified by:

• Ensuring the web-dashboard builds successfully (npm run build).
• Running existing linting and sanity checks (npm run lint).
• Verifying that the Web UI remains functional after the upgrade.
• (CI) Azure Pipelines will verify the full build and integration.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): yes
• The public API, i.e., is any changed class annotated with @Public(Evolving): no
• The serializers: no
• The runtime per-record code paths (performance sensitive): no
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
• The S3 file system connector: no

Documentation

• Does this pull request introduce a new feature? no
• If yes, how is the feature documented? not applicable

---

Was generative AI tooling used to co-author this PR?

• Yes (Gemini CLI 0.37.2)

Generated-by: Gemini CLI 0.37.2

[spuru9]

As part of FLINK-39517

Severity	Before	After	Resolved
Critical	2	2	0
High	30	16	14
Moderate	17	10	7
Low	6	3	3
Total	55	31	24

Severity	Package	Before → After	Advisories
high	@angular/cli	20.1.3 → 20.3.24	transitive only
high	@isaacs/brace-expansion	5.0.0 → removed	GHSA-7h2j-956f-4vf2
high	@modelcontextprotocol/sdk	1.13.3 → 1.26.0	GHSA-8r9q-7v3j-jr4g GHSA-345p-7cg4-v4c7 GHSA-w48q-cv73-mx4w
high	express	4.21.2, 5.1.0 → 4.22.1, 5.2.1	transitive only
high	flatted	3.3.2 → 3.4.2	GHSA-25h7-pfq9-p65f GHSA-rf6f-7fwh-wjgh
high	glob	10.4.5, 7.2.3 → 13.0.6, 7.2.3	GHSA-5j98-mcp5-4vw2
high	immutable	5.1.3 → 5.1.5	GHSA-wf6x-7x77-mvgw
high	lodash	4.17.21 → 4.18.1	GHSA-xxjr-mmjv-4gpg GHSA-r5fr-rjxr-66jc GHSA-f23m-r3pf-42rh
high	minimatch	10.0.3, 3.1.2, 9.0.5 → 10.2.5, 3.1.5, 9.0.9	GHSA-3ppc-4f35-3m26 GHSA-7r86-cg39-jmmj GHSA-23c5-xmqv-rm74
high	node-forge	1.3.1 → 1.4.0	GHSA-554w-wpv2-vw27 GHSA-5gfm-wpxj-wjgq GHSA-65ch-62r8-g69g GHSA-2328-f5f3-gj25 GHSA-q67f-28xg-22rw GHSA-5m6q-g25r-mvwx GHSA-ppp5-5v6c-4jwp
high	pacote	21.0.0 → 21.0.4	transitive only
high	path-to-regexp	0.1.12, 8.2.0 → 0.1.13, 8.4.2	GHSA-37ch-88jc-xwx2 GHSA-j3q9-mxjg-w52f GHSA-27v5-c462-wpq7
high	tar	6.2.1, 7.4.3 → 7.5.13	GHSA-34x7-hfp2-rc4v GHSA-8qq5-rm4j-mr97 GHSA-83g3-92jg-28cx GHSA-qffp-2rhf-9h96 GHSA-9ppj-qmqm-q256 GHSA-r6q2-hw4h-h46w
high	terser-webpack-plugin	5.3.14 → 5.4.0	transitive only
moderate	@angular-devkit/schematics	20.1.3 → 20.3.24	transitive only
moderate	@schematics/angular	20.1.3 → 20.3.24	transitive only
moderate	body-parser	1.20.3, 2.2.0 → 1.20.4, 2.2.2	GHSA-wqch-xfxh-vrr4
moderate	brace-expansion	1.1.11, 2.0.2 → 1.1.14, 2.1.0, 5.0.5	GHSA-v6h2-p8h4-qcjw GHSA-f886-m6hf-6m8v
moderate	follow-redirects	1.15.9 → 1.16.0	GHSA-r4q5-vmmm-2653
moderate	js-yaml	4.1.0 → 4.1.1	GHSA-mh29-5h37-fv8m
moderate	yaml	1.10.2, 2.8.0 → 1.10.3, 2.8.3	GHSA-48c2-rrv3-qjmp
low	@inquirer/editor	4.2.15 → 4.2.23	transitive only
low	diff	4.0.2 → 4.0.4	GHSA-73rr-hh4g-fpgx
low	external-editor	3.1.0 → removed	transitive only

[spuru9]

As part of FLINK-39517

Framework & Core Tooling

Package	Version Upgrade	Primary Vulnerabilities Resolved	Advisory URLs
@angular/common	20.1.3 → 20.3.19	XSRF Token Leakage	GHSA-58c5-g7wp-6w37
@angular/compiler	20.1.3 → 20.3.19	Stored XSS via SVG/MathML, i18n ICU messages	GHSA-v4hv-rgfq-gp49, GHSA-jrmj-c5cx-3cw6, GHSA-prjf-86w9-mfqv
@angular/core	20.1.3 → 20.3.19	Dependency on vulnerable @angular/compiler	GHSA-g93w-mfhg-p222
@angular/cli	20.1.3 → 20.3.24	Cumulative security patches for build pipeline	N/A

Critical & High Transitive Dependencies

These were resolved by upgrading core dev-dependencies and removing deprecated subtrees.

Transitive Package	Version Upgrade	Vulnerability	Severity	Advisory URL
form-data	<2.5.4 → 3.0.1+	Unsafe Random (Boundary Choice)	Critical	GHSA-fjxv-7rqg-78g4
request	* → Removed	Server-Side Request Forgery (SSRF)	Critical	GHSA-p8p7-x288-28g6
serialize-javascript	7.0.4 → 7.0.6	Remote Code Execution (RCE) / DoS	High	GHSA-5c6j-r48x-rmvq
vite	7.3.1 → 7.3.4	Path Traversal / Arbitrary File Read	High	GHSA-p9ff-h696-f583
rollup	4.58.0 → 4.59.1	Path Traversal / Arbitrary File Write	High	GHSA-mw96-cpmx-2vgc
picomatch	4.0.3 → 5.0.1	ReDoS / Method Injection	High	GHSA-3v7f-55p6-f55p
ajv	8.17.1 → 8.18.0	Regular Expression Denial of Service	Moderate	GHSA-2g4f-4pwh-qvx6
qs	6.14.1 → 6.15.0	Memory Exhaustion (DoS)	Moderate	GHSA-6rw7-vpxm-498p
tough-cookie	4.1.2 → 4.1.3	Prototype Pollution	Moderate	GHSA-72xf-g2v4-qvf3
xml2js	0.4.23 → 0.5.0	Prototype Pollution	Moderate	GHSA-776f-qx25-q3cc
webpack	5.104.0 → 5.105.0	SSRF via allowedUris bypass	Low	GHSA-8fgc-7cc6-rx7x
tmp	0.2.3 → 0.2.4	Arbitrary File/Directory Write	Low	GHSA-52f5-9888-hmc6

Removed Deprecated Dependencies

The following packages were removed from the dependency tree (primarily the protractor subtree) to eliminate associated security risks:

Package	Severity	Reason for Removal
protractor	Moderate	Deprecated testing framework; replaced by modern CLI defaults
webdriver-manager	Moderate	Support package for Protractor; contains xml2js vulnerability
selenium-webdriver	Moderate	Support package for Protractor; contains tmp vulnerability
webdriver-js-extender	Low	Support package for Protractor
request	Critical	Deprecated HTTP client; contains SSRF vulnerability
ajv	Regular Expression Denial of Service	Moderate
qs	Memory Exhaustion (DoS)	Moderate
tough-cookie	Prototype Pollution	Moderate
xml2js	Prototype Pollution	Moderate
webpack	SSRF via allowedUris bypass	Low
tmp	Arbitrary File/Directory Write	Low

Wanted Version Updates & Alignment

These packages were updated to their "Wanted" versions to ensure compatibility with the new Angular version and maintain build tool stability.

Package	From	To	Reason
prettier	^2.4.1	^2.8.8	Alignment with new Angular CLI and linting plugins
ng-zorro-antd	^20.1.0	^20.4.4	Compatibility with Angular 20.3+
@angular-eslint/* (all)	20.1.1	20.7.0	Alignment with Angular CLI and ESLint updates
@typescript-eslint/*	^8.37.0	^8.59.0	Wanted version for improved TypeScript 5.8 support
@antv/g2	^4.1.34	^4.2.12	General stability and bug fixes
core-js	^3.39.0	^3.49.0	Polyfill stability and updated browser compatibility
d3	^7.1.1	^7.9.0	Performance and API stability
eslint-plugin-import	^2.25.4	^2.32.0	Compatibility with updated ESLint engine
eslint-plugin-jsdoc	^50.6.0	^50.8.0	Compatibility with updated ESLint engine
eslint-plugin-prettier	^4.0.0	^4.2.5	Alignment with Prettier 2.8.8
eslint-plugin-unused-imports	^4.1.4	^4.4.1	Bug fixes and compatibility
@types/* (node, d3, etc.)	(various)	(latest)	Typing alignment for updated library versions
ts-node	^10.4.0	^10.9.2	Stability for dev-server and build scripts

[spuru9]

puru@Purushottams-MacBook-Air web-dashboard % npm audit
found 0 vulnerabilities

[flinkbot]

CI report:

• 2583e4f Azure: SUCCESS

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run azure re-run the last Azure build

[spuru9]

@flinkbot run azure

[spuru9]

@flinkbot run azure
(The failure for this run looks unrelated)

[spuru9]

@rmetzger PR for the cleanup of vulnerabilities as discussed.