Please do not submit them through issue tracking, but as a mail to codeowners
About JsonTypeInfo.Id.MINIMAL_CLASS
EvalEx is an optional (Maven <scope>provided</scope>) dependency: it is not added transitively to downstream projects. It enables, in some scenarios, a user to define a Combinator's business logic as an expression string (see EvaluatedExpressionCombination).
Security consideration: if the expression is hardcoded in the project configuration (e.g. in the measure forest definition at startup), the surface is controlled — the expression is authored by the developer, not the end user. However, if the application exposes expression authoring to end users (e.g. via a UI or an API parameter), the expression must be sanitized before evaluation. EvalEx evaluates arbitrary mathematical/logical expressions; an unsanitized input could lead to denial-of-service (e.g. deeply nested or exponentially expanding expressions) or unexpected behavior. Projects that expose user-authored expressions should restrict the allowed function set and impose length / nesting limits.
The build generates a CycloneDX SBOM (target/bom.json) at the verify phase via the cyclonedx-maven-plugin. This machine-readable inventory of all direct and transitive dependencies can be fed into vulnerability scanners (e.g. OWASP Dependency-Track, Grype) or compliance tools. Run mvn verify (or any later phase) to produce it; it is not generated by mvn package or -Pfast.
Pivotable's index.html loads its client-side libraries (Vue, vue-router, pinia, Bootstrap, SlickGrid, Mermaid, …) from WebJars packaged in pivotable-js.jar. The WebJars are served by Spring Boot itself at /webjars/*, so a default Pivotable deployment has no outbound network dependency for the SPA — suitable for air-gapped / restricted-network environments out of the box.
A ?cdn query parameter (e.g. http://host/?cdn) opts into loading the same libraries from cdn.jsdelivr.net/webjars/<groupId>/<artifact>/<version>/<path> — jsdelivr's WebJars mirror. Same WebJar, same version, served from a third-party CDN. This mode is handy for local development before the backend jar is built, or to verify a fresh checkout without waiting for Maven; it is not recommended for production.
Security implications of the ?cdn opt-in:
- Supply-chain risk: a compromised or hijacked CDN could serve tampered assets. Subresource Integrity (
integrityattributes on<script>/<link>tags) mitigates this partially but does not eliminate availability risk. - Network policy:
?cdnmakes the SPA unreachable from air-gapped networks — the WebJars mode is the only reliable default there.
Because the mode is controlled by a URL query parameter (client-side only), a hardened deployment that must forbid the CDN mode entirely should either (a) serve index.html through a reverse proxy that strips ?cdn from incoming URLs, or (b) add a Spring-level filter that rejects cdn in the request query string. No such enforcement is built into Pivotable itself — the WebJars-first default is the main defence; ?cdn is a developer convenience, not a supported production mode.
Regression check: pivotable/js/unit-tests/index-html-default-mode.spec.js asserts the bootstrap script in index.html defaults to WebJars. If the defaults are ever flipped by accident, CI catches it.