Skip to content

[FLINK-39191][runtime-web] Upgrade monaco-editor to 0.55.1#27745

Open
gkomlossi wants to merge 1 commit intoapache:masterfrom
gkomlossi:monaco_bump
Open

[FLINK-39191][runtime-web] Upgrade monaco-editor to 0.55.1#27745
gkomlossi wants to merge 1 commit intoapache:masterfrom
gkomlossi:monaco_bump

Conversation

@gkomlossi
Copy link

@gkomlossi gkomlossi commented Mar 6, 2026
edited
Loading

What is the purpose of the change

Upgrade the monaco-editor to version 0.55.1 to avoid CVEs caused by DOMPurify, which monaco-editor depends on. DOMPurify is affected by the following vulnerabilities: CVE-2024-47875 (Critical), CVE-2024-48910 (Medium/High), CVE-2024-45801(High) and CVE-2025-26791 (Medium)
Upgrading the monaco-editor to version 0.55.1 will resolve these CVEs.

Brief change log

  • the monaco-editor version is updated in package.json and package-lock.json has been regenerated.
  • minor code change is required in task-manager-thread-dump.component.ts due to the new version of the editor API.

Verifying this change

I tested the change locally and verified the thread-dump with the new monaco-editor page manually.

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): yes
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? not applicable

@flinkbot
Copy link
Collaborator

flinkbot commented Mar 6, 2026
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

featzhang
featzhang reviewed Mar 7, 2026
View reviewed changes
Copy link
Member

@featzhang featzhang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a short note in the PR description about the motivation for upgrading monaco-editor?
For example: security fixes, compatibility, or feature updates.

Have we verified the Web Dashboard thread-dump page manually after the upgrade?
Since this is a major version jump for Monaco, a quick UI check would be helpful.

@github-actions github-actions bot added the community-reviewed PR has been reviewed by the community. label Mar 7, 2026
@gkomlossi
Copy link
Author

gkomlossi commented Mar 9, 2026

Thank you for the feedback. I've updated the description. Among others, there is a critical severity CVE (CVE-2024-48910, base score: 9.8) in DOMPurify.
Yes, I've tested the thread-dump page manually on the Fink Dashboard.

@gkomlossi gkomlossi requested a review from featzhang March 10, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@featzhang featzhang Awaiting requested review from featzhang

Assignees

No one assigned

Labels

community-reviewed PR has been reviewed by the community.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gkomlossi @flinkbot @featzhang